[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sending using my @debian.org in gmail

On 2018-11-30 4:58 p.m., Paul Wise wrote:
> On Sat, Dec 1, 2018 at 1:49 AM Alexandre Viau wrote:
>> Debian can specify which servers it sends emails from and ask mail
>> servers around the world to only accept emails from these servers and
>> discard the others.
> Does this break the bounce/resend/redirect feature of various MUAs?
> i.e., arbitrary parties must be able to redirect mail they have
> received from d.o addresses to other parties via arbitrary SMTP
> servers, with everyone still able to differentiate between forged d.o
> mail and mail sent through d.o but redirected later by arbitrary
> parties.

DMARC/SPF don't have to deny bounces to achieve good security as long as
the original email was sent from a Debian MTA and signed with DKIM.

You can use DMARC to say that all outgoing Debian emails will be signed
by a domain key.

This means: If there is an email signed by debian.org's domain key that
pretends to come from aviau@debian.org, then the owner of the debian.org
domain has done due diligence to verify that aviau actually wanted to
send that email (for example by allowing me to set an SMTP password in

Read about DKIM here:
 - https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

DKIM was actually used in the past verify that leaked emails were legit:
 - https://wikileaks.org/DKIM-Verification.html

DMARC, SPF and DKIM can be used together prevent almost all scenarios of
debian.org email spoofing.


Alexandre Viau

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: