Comment by georgyo

4 years ago

Does it though?

IMAP is really kinda a object store, where the objects are emails. Modify emails stored remotely is already extremely trivial.

DKIM and ARC make this a bit more secure, but they are the only way to validate an email is authentic.

DKIM key rotation with providers like AWS SES and others, after a period of time it is impossible to validate old emails as authentic. For SES it takes only 9 months for that to happen.

Key rotation doesn't make it impossible to validate, unless the old private key gets disclosed. I don't think many providers do that.

  • You need access to the public, which is DNS, which won't be accessible after it rotated.

    The provider has no reason to keep either the public or private key either.

    • I assumed historical DKIM public keys were easy to find on the web, but that doesn't seem to be the case. This is weird because they are very little data and don't rotate every year, so archiving every key from Google, Amazon, etc would be easy.

      Of course you would need multiple trusted sources for the key to have confidence that the mail is legit.