[Maybe this is not within the scope of DKIM, but I will ask it
anyway since it may affect how well DKIM is accepted.]
What prevents a malicious domain from spoofing a sender's address?
I.e. Is there anything in DKIM that (effectively) prevents a malicious
domain from using my personal address, or any one elses address?
Section 6.6 appears to try to address this, but I am not sure
it is strong enough:
In order to retain the current semantics and visibility of the From
header field, verifying mail agents SHOULD take steps to ensure
that the signing address is prominently visible to the user if it
is different from the From address. If MUA implementations that
highlight the signed address are not available, this MAY be done
by the validating MTA or MDA by rewriting the From address in a
manner which remains compliant with [RFC2822]
Is SHOULD good enough? And is rewriting, at least in the given
example, sufficient.
For example, ispoofyou.org creates the appropriate DNS records
containing all require key information for DKIM usage and
sends out a message like the following:
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
c=simple; q=dns;
h=Received : From : To : Subject : Date : Message-ID;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>
...
Assuming appropriate re-writing is done, the final From would
be:
"Joe User via <@ispoofyou.org>" <joe(_dot_)user(_at_)example(_dot_)com>
Is this enough for an end user to determine that Joe User actually
sent the email?
Am I overlooking something?
--ewh
P.S. If From: is rewritten, should the original From be "saved"
somewhere?
P.S.S. The
From: John Q. User <user(_at_)example(_dot_)com>
Example in 6.6 should have "John Q. User" in quotes (due to the period).