Comment by dataflow
4 years ago
> doesn't this open up the ability alter e-mail history at will?
Yes. It should invalidate the DKIM signature though, which mainstream servers add to each email now. So it's possible to prove the contents of that email haven't been tampered with... assuming you have a record of the sending domain's public DKIM key. I imagine your email provider would have logs indicating you modified an email too, but I have no evidence of this, nor how eagerly they would dig up such logs for a court if they have any.
I have no idea how people deal with this in practice in court. (What if the domain's DKIM key has changed? Is there an authoritative source of old DKIM keys for most domains?)
I highly suspect that, in the vast majority of legal proceedings (all but the most high-budget high-stakes ones), all involved simple assume that all the (PDF exports of / hard-copy print-outs of) emails in the case files are genuine. I doubt that the possibility of email tampering even occurs to them.
And, in the minority of cases where it really matters, and where they really suspect foul play, them I'd assume that they rely on numerous bits of technical evidence (proxy copies, CC'ed copies, file system forensics), plus on one person's testimony vs another's, because as you say, DKIM's usefulness is limited.
Isn't that the part of the trial where a lawyer asks a witness or defendant or whoever "Did you on the date X write an email saying "blah"? And the person says yes. That avoids assumptions since no-body challenges it.
Similar to how warnings to "stop illegal action X" eliminates "I didn't know it was illegal" arguments (if they continue).
Posts like this[1] show that intentionally leaked DKIM keys are a thing. I'm not sure how common that practice is.
[1] https://news.ycombinator.com/item?id=24972609
Yeah I've seen that post, but I have yet to hear of any domain that actually does that (modulo the author's own domains).