DMARC is an anti-spoofing mechanism based on DKIM and can be used in a strict way. It prevents sending emails fraudulently claiming to be from an origin that has a strict DMARC policy. It's verified by mail servers when receiving mail to stop spoofing, so still not long-term.
Conversation
So you're 100% right that it's short-term and not meant to be verifiable long-term, but it's not just anti-spam due to DMARC.
They could much more frequently rotate keys and publish the old ones without breaking what it's meant to achieve. Rotating fast isn't really possible.
2
Gmail had the same public key from 2012 to 2016 and still hasn’t published their secret key for that time period. I see no reason why that’s a good thing.
For all we know, it’s been stolen since then and the *only* people who can forge messages credibly are state actors.
1
2
The AP even publishes a tool for verifying signatures to authenticate stolen emails.
1
1
Yeah, I mean that the practical limit is a key being valid for a week or so and then valid for another week or so after that because of how mail servers work. Could publish the private key once it's removed from DNS records with a fair bit of leeway for overly long DNS caching.
2
1
If mail servers didn't work in this weird asynchronous way with the standards calling for retrying later, it'd be possible to quickly rotate them. Can't really avoid it being verifiable for a couple weeks that the email was sent from the domain.
1
For non-Gmail, where the keys aren't widely archived, it's still possible to make these kinds of claims if you've archived DNS records for the domain and they have DNSSEC.
Of course, someone may have compromised the keys and forged emails, which could be the case here.
1
Google is really good at protecting its keys. But there’s no indication that they’ve been able to protect four year old DKIM signing keys that well.
1
Then again if DKIM is just a SPAM salve on the consciousness of mail providers perhaps its only important to rotate the keys when we see actual faked signatures
I know I would not use DKIM unless I was forced too
1
It's important as part of DMARC to prevent spoofing. However, Gmail has a p=none DMARC policy, so you can send successfully spoofed emails claiming to be from gmail.com to other mail servers by omitting a DKIM signature.
1
2
They should really have a p=reject or at least p=quarantine policy though... and it's a pretty serious problem that they don't. It means when you get an email from gmail.com at another provider, even if they enforce DMARC, you have to check to see if it's spoofed.
They have sp=quarantine so you can't spoof an email from anything.gmail.com but they don't stop it for the gmail.com domain itself. Likely due to not wanting to upset people used to being able to spoof mails from their own address without going through gmail.
1
1
Lots of marketing/promotion services and third party tools and integrations and similar which behaves this way. All kinds of social media email sharing works this way too. Sometimes almost out of necessity - you don't always want to share direct access to your mailbox.
1
Show replies