I’ve read in multiple places that DKIM Oversigning is a good safety measure, but I’ve discovered little information about what it is or how it’s done.
From bird[.]com/blog/dkim-oversigning-to-help-avoid-replay-attacks…
“DKIM Oversigning” is an extra security measure that can be taken to reduce the chance that a valid DKIM signature can be leveraged for malicious purposes. It works by “oversigning” sensitive headers (To, From, and Subject), even if they are left blank. It’s akin to filling out every phone number box (cell, home, work) on an important form, even if you’re just using one phone.
How would one implement Oversigning? Can it be done in Google Workspace?
Oversigning works as follows. The (outgoing) mail server is configured to use DKIM. So it contains a private key (associated with the public key that is published in DNS). But it is also configured to what fields are to be signed. For example, the server can be configured to sign only the “from”, “to”, “date” and “subject”.
In that case, the receiver (user) can see in the mail properties that the DKIM header contains “h=From:To:Date:Subject;”
However, if some man-in-the-middle inserts another “from” header, this can get unnoticed (i.e. not being part of the mail that is signed by the DKIM signature).
Now, if you use oversigning, the mail server administrator can change the mail server configuration to e.g. specify “h=From:From:To:Date:Subject;”.
This double “From:” looks silly, but means that for ‘legal’ mail, there is an explicit “empty second from” header part of the DKIM signature. If the man-in-the-middle now tries to insert another “from” header, the DKIM signature gets ‘broken’ (in other words, the verifier at the receiving end will get another DKIM signature and thus have a failing DKIM signature).
I hope this explains it a bit.
1 Like
