What I want is to clearly identify what domain an email arriving at my
mta is from.
Sure, although if you've been following the discussion, in the context
of mail, the word "from" has a vast array of possible meanings:
-- the address on the From: line
-- one of several addresses on the From: line
-- the address on the Sender: line
-- an address on one of the Resent-To: or Resent-Sender: lines
-- the bounce address in the messange envelope
-- the actual sender, which might not be any of those
DKIM picks the last one. If you have the signing key for a domain,
you can sign a message regardless of what's in the headers.
Hopefully at the dns level I can query the domain in the email, get a
public key, match the hash in the header of the email to equate to the
queried domain and either accept or reject the message if there is no
match.
If only life were so simple. If there's a bad signature, it might
mean an evil forger is at work, or more likely it means that some MTA
on the way written by people who didn't read the RFCs mutated the
message headers or body and broke the signature. If there's a good
signature, it means that the signer is taking responsibility for the
message, but it doesn't mean that the signer is anyone you want to
hear from. DKIM is useful as part of an anti-spam or anti-forgery
scheme,
If there is multiple hashes parted by a compliant delimiter I can
resolve the accuracy of all the hashes and either accept or reject the
mail based on my findings.
I suppose, but in practice I expect it will be rare for a message to
have more than one signature.
R's,
John
_______________________________________________
ietf-dkim mailing list
http://dkim.org