On Fri, 4 May 2007, Tim Gokcen wrote:
I notice that the new DKIM spec (draft-ietf-dkim-base-10) does not
explicitly say which header field receiving agents are supposed to
verify signatures against. Section 6.1 seems to imply that the "From"
field can be verified, but neither confirms nor denies whether more
hidden fields such as "Resent-From" (or "Resent-Sender") could be used.
Section 6.1 says the "From" header must me signed, but that's the only
such assertion in the document.
DKIM itself makes no assertion about the validity of the content of any
header apart from the signature itself. The only thing it can guarantee
is that the headers and body that arrived which were included in the
signature were unaltered in transit (other than header ordering).
Is the selection of what to verify against truly absent from the DKIM
spec?
In the context in which you're operating, it is.
Is there anything we can do in order to ensure that the receiving mail
server (verifier) is able to correlate the sending domain with a DKIM
entry and thus verify the message against our published DNS TXT records,
without resorting to highly-visible fields such as "From" or "Sender"?
You can make local policy assertions such as only trusting a From: and
Sender: header when the domain in each matches the "d=" value for a
signature that validated, from which you can infer that they were likely
genuine. Such, however, are outside of the scope of DKIM's base
specification.
-MSK
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev