Title: DNS-based Email Sender Authentication Mechanisms: a Critical Review
Dave is right -- this misunderstands what DKIM does. The only validated
identity is the signer, which need bear no relationship to any other header
domain, e.g.
DKIM-Signature: ... d=rbn.ru; ...
From: Bank of America Security <security(_at_)paypal(_dot_)com>
The From: header is signed, but the only domain that DKIM
authenticates here is rbn.ru. It doesn't say anything about the
legitimacy or lack thereof of the address security(_at_)paypal(_dot_)com, or of
the string "Bank of America Security" which is what a whole lot of
MUAs will actually display.
Even if the d= domain matches the domain on the From: line, it still
doesn't promise that the address is "real". This is an important
point that a lot of people misunderstand.
R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg