Signing (and Encrypting) Mails with gpg like DKIM
Stuart Longland
stuartl at longlandclan.id.au
Sun Sep 1 06:46:58 CEST 2024
On 1/9/24 02:29, T. S. wrote:
> after looking into DKIM details, I started searching, why the same procedure
> cannot be used for gpg?
DKIM signs emails that are sent server-to-server. It does not perform
encryption of the email (that is done by the sending server sending the
`STARTTLS` SMTP command and the pair negotiating a cipher).
Crucially, DKIM does not:
1. end-to-end digitally sign the email, the email is not signed until it
is transmitted by your mail server, malicious code (or users) on the
server can still manipulate it before sending.
2. perform any encryption, DKIM is about verifying sender *identity*
(the I). "Sender" being the server, not you the user. Emails may be
passed between servers via TLS, but the messages themselves will be
stored clear-text at each hop.
For end-to-end encryption/signing, you need to apply this before your
outgoing SMTP server receives it… that's where S/MIME and OpenPGP come in.
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
More information about the Gnupg-users
mailing list