On 10/16/2010 2:39 AM, Mark Delany wrote:
My problem is that if some valuable domain like paypal sends me a
bunch of bits that I or my MUA or my MTA ties to paypal.com then the
end goal of DKIM is, IMO, that those bunch of bits I "see" are the
ones that paypal sent. No more, no less.
To murder another idiom: "What you see is what they sent" is I believe
the ultimate goal of DKIM. Or, "what you complain about is what they
My point is that DKIM is used within an environment that has a wide range of
attacks, such as including social. While it's of course fair to say that DKIM
"protects" the bits it covers, there are two lines of potential
The first is, of course, the bits not covered.
The second is that DKIM provides certain kinds of protection, for the bits it
protects, and not others.
So when we say that DKIM protects some bits, we need to be clear what it is
/not/ doing for those bits and what, associated /other/ bits are still subject
My own observation is that nearly all discussions about DKIM do not reflect
-- and often don't reflect understanding -- about these constraints. This
to overly ambitious expectations for what DKIM can do.
NOTE WELL: This list operates according to