Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Expand support for Authentication-Results #473

Open
namelessmasses opened this issue Dec 1, 2024 · 0 comments
Open

Feature: Expand support for Authentication-Results #473

namelessmasses opened this issue Dec 1, 2024 · 0 comments
Labels
enhancement Improvements or new features

Comments

@namelessmasses
Copy link
Contributor

Background

Many email providers are adding "anonymous" or "random" address features, e.g. Apple's "Hide My Email", Fastmail's "Masked Email", etc. With no standardized process for authorization verification, some providers leave the signature there (Fastmail "Masked Email"). Other providers verify the signature, include their results, and remove the signature (Apple "Hide My Email").

DKIM header field displays verifier

When displaying the parsed Authentication-Results in the DKIM header row, DKIM header fields include the server noted as having verified the authentication.

For the following example,

Authentication-Results: dkim-verifier.icloud.com;
	dkim=pass (1024-bit key) header.d=costalerts.amazonaws.com [email protected] header.b=uaPCyL0A

the DKIM bar might display the fully accessible option

DKIM: Valid (Signed by costalerts.amazonaws.com; Verified by dkim-verifier.icloud.com)

and provide an option to move the verification to a tooltip since not all users have easy access to a mouse to hover for tooltips.

For local verification, the DKIM bar might display

DKIM: ; Verified locally by "DKIM Verifier"

Risk Analysis

No risks perceived at this time.

Allow DKIM "success" for trusted verification servers

If no DKIM signature is available, and all DKIM Authentication-Results are from trusted authentication servers, and all DKIM Authentication-Results pass, then allow the DKIM success with indication that the success is based "trusted" authenticators.

Risk Analysis

  • Relies on explicit trust of the creator of the Authentication-Results headers, and they have not been forged.
    • dkim_verifier already implies a certain level of trust in these headers when the user opts to displaying them in the DKIM header row. While this is not an explicit trust as it simply displays what's in the headers, it can begin to create implicit trust as the user sees these more often.
    • Ensuring the UX clearly indicates the basis of the final result can help to mitigate this risk.
@lieser lieser added the enhancement Improvements or new features label Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Improvements or new features
Projects
None yet
Development

No branches or pull requests

2 participants