Inbound verification of DKIM signature
From what I understand based on responses to another support ticket, incoming messages that are processed via mailgun routes are not validated using DKIM. This would seem to pose a security hole. Consider the following scenario:
- A malicious sender creates a message and signs it using DKIM (but the signature is bad because the sender does not have the private DKIM key.)
- This message is received by mailgun for processing via routes. ** The DKIM signature is not verified by mailgun (according to what I have been told by mailgun support.)
- Mailgun may add new headers to the message and computes a new DKIM signature.
- Message is sent to the address specified via the route.
- Final recipient validates the mailgun DKIM signature successfully.
This is a problem because the final recipient is receiving a message which appears to have a valid DKIM signature when the original sender provided an invalid one.