Chattanooga
Unix
Gnu
Android
Linux
Users
Group

 

Hot Topics:

Sponsoring:

Email message authentication, encryption

From: David White 
------------------------------------------------------
I'm beginning to explore ways that I can authenticate (and possibly sign)
my email, and I'm wondering if folks have any opinions about GPG for this
use case.

I'm very familiar with SPF, DKIM, and DMARC records (in DNS), but while
these mechanisms provide a way for receiving mail servers to reliably
identify whether or not the incoming message came from the legitimate
sender, it seems to me that this doesn't provide a reliable way to reliably
determine whether or not the message was modified in transit.

These mechanisms obviously also don't even touch on full message encryption.

I know that GPG uses asymmetric encryption to sign a message (i.e. not the
whole message is encrypted, just the signature).

But it seems to me that this just serves the same purpose as DKIM. What's
the difference? (Ok, 1 is DNS based and the other is client-side based, but
other than this... any difference?)

I'm also confused about is the adoption rate of clients when it comes to
GPG. Is this something that you'd normally have to implement on your own
email client in order to "use", or do the most popular clients
automatically use it?

This is just 1 of the security-related questions I'm exploring right now,
in an effort to ramp up my own email security and protect my domain's
reputation.

Thanks,
David

-- 
- David White -
Smooth Stone Services *(soon to be CENTS)*
*Computing, Equipping, Networking, Training & Supporting *
*Nonprofit Organizations Worldwide*

Existing Website: http://www.smoothstoneservices.com
New Website (coming soon): http://developCENTS.com

=============================================================== From: Billy ------------------------------------------------------ Think of it like snail mail. One way ensures the message came from that street address and only that stre= et address. The other way ensures that the message inside the envelope was not tampered w= ith and was written by the person it says it was written by. Gpg can also fully encrypt the message. Thus ensuring that the envelope wasn= 't opened, that only the recipient can open it, and that it was indeed writt= en by the person that it says wrote it. Sent from my iPhone y email, and I'm wondering if folks have any opinions about GPG for this use= case. ese mechanisms provide a way for receiving mail servers to reliably identify= whether or not the incoming message came from the legitimate sender, it see= ms to me that this doesn't provide a reliable way to reliably determine whet= her or not the message was modified in transit. n. whole message is encrypted, just the signature). he difference? (Ok, 1 is DNS based and the other is client-side based, but o= ther than this... any difference?)=20 PG. Is this something that you'd normally have to implement on your own emai= l client in order to "use", or do the most popular clients automatically use= it? n an effort to ramp up my own email security and protect my domain's reputat= ion.=20

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Billy : Also, with regards to the question about using GPG in your email client. Most email clients will require a plugin of some sort. Some will not work with GPG at all (Don't know if the latest version of Windows Mail will, for example.) Last time I looked at GPG and MS Outlook, it was kind of a kludge as there was not a real "Microsoft-blessed" plugin.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SPF and DKIM (DMARC is just a policy using the first two) do not reliably indicate anything about the sender. They verify the server sending the mail is "approved" (in SPF case) or signed some subset of the message content + headers (DKIM). That might give you some server + domain relationship information, but it gives you absolutely nothing as far as sender verification/validation. If you want to verify message content was not modified, a GPG signature can give you that, but the other end has to be running GPG as well. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDdwBQACgkQABP1RO+tr2T1EwCdHBmaw0/tyWxGjXKeZRPj2Jlm g/0An2QL7ZBtZ5Dv1xqdqBkWEATosJr6 =8Kcf -----END PGP SIGNATURE-----