Not disagreeing with anything Murray has said, but amplifying on it:
On Fri, 2007-05-04 at 14:17 -0700, Murray S. Kucherawy wrote:
On Fri, 4 May 2007, Tim Gokcen wrote:
I notice that the new DKIM spec (draft-ietf-dkim-base-10) does not
explicitly say which header field receiving agents are supposed to
verify signatures against. Section 6.1 seems to imply that the "From"
field can be verified, but neither confirms nor denies whether more
hidden fields such as "Resent-From" (or "Resent-Sender") could be used.
Section 6.1 says the "From" header must me signed, but that's the only
such assertion in the document.
The absence of guidance about what header fields to verify signatures
against is intended to make DKIM as flexible as possible. It will be a
very common case that the signing address matches the From header field,
and the verifier might treat that case specially. At least some of the
Sender Signing Policy drafts do consider such a signature to
automatically satisfy SSP. But DKIM can also be used to sign on behalf
of, for example, mailing lists, where the signing address corresponds
with [my opinion here] the List-ID header field.
DKIM is intentionally flexible enough for the verifier to make decisions
based on the type of signature present, and whether it corresponds with
the address on any particular message header fields. One thing to
consider, though, is that any agent that can sign a message can also add
any header fields they want, so it's probably more relevant who the
signer is than what their purported role is in handling the message.
DKIM itself makes no assertion about the validity of the content of any
header apart from the signature itself. The only thing it can guarantee
is that the headers and body that arrived which were included in the
signature were unaltered in transit (other than header ordering).
Is the selection of what to verify against truly absent from the DKIM
spec?
In the context in which you're operating, it is.
Is there anything we can do in order to ensure that the receiving mail
server (verifier) is able to correlate the sending domain with a DKIM
entry and thus verify the message against our published DNS TXT records,
without resorting to highly-visible fields such as "From" or "Sender"?
I don't really understand this question. When you refer to "our
published DNS TXT records", those records would only be referenced for
messages signed by your domain.
I hope that the ensuing debate on this thread regarding opinions of what
DKIM is and isn't good for don't discourage you from using it. There
are all sorts of things that will be possible when accreditation and
reputation systems based on DKIM authentication are available, but we
need people to start using DKIM first. If you need an "early win" in
order to motivate deploying it, consider whitelisting signed mail from
known, reliable domains with which you correspond, thereby avoiding
false positives from those domains.
-Jim
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev