They don't. Fortunately, that's not what the ISP's signature means.
All a DKIM signature means is "you can blame us for this mail."
If the signing domain is taking the blame for the email they emmit,
eventually they are going to tire of holding the blame and act to
shift the blame where it belongs
So you're saying that you're not responsible for mail that your
mail servers send? If so, please send us the IP addresses so we
can all blacklist them permanently.
are being blamed for. Except in the case of open relays I think we
can safely assume that the signing domain has some knowledge of the
sender to which the ISP will be able to pass the blame.
knowledge of the sender != knowledge of From: addresses
I know who all my users are. I do not know, nor particularly care,
what return addresses they put on their mail. If one of them
misbehaves, there's plenty of info in the headers already to tell who
sent what.
If the signing domain is authenticating the sender, which they have
to do in order to not be an open relay, then the DKIM signature can
be used as an extension of that authentication.
Right. This still has nothing to do with the From: or Sender: address
on mail that they send.
A sender could always forge any address used in the signature. An ISP
that blindly signs the outgoing mail would inadvertently sign such a
forgery.
Right. If the ISP gets complaints, it should do something about the
misbehaving user. Otherwise it has no way to know what addresses its
users can legitimately use, and would best refrain from guessing.
If you think that the ISP should limit the addresses its users can use
in outgoing mail, you must already have forgotten the yelling and
screaming when some of Verizon's predecessors did that as a lame and
ineffective anti-spam measure.
R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg