ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] A potential problem with SSP bound to From

2005-10-31 09:11:39
Earl Hood wrote:
Some email service providers support the ability for their users
to specify an alternate From address from the address supplied
by the provider.  I know Yahoo supports this for Mail Plus users
and Gmail now supports it also.

The problem is the email service provider may not be able to DKIM sign
messages sent out by such users since the domain in the rfc2822.From
does not match the sending domain.

Gmail does the following when using an alternate From:

  From: user(_at_)example(_dot_)com
  Sender: usersgmailname(_at_)gmail(_dot_)com

which is exactly the same as:

    From: user(_at_)example(_dot_)com
    Sender: fooledyou(_at_)badguy(_dot_)com

Now, if Gmail is able to bind a DKIM signature to Sender, then
it does not have worry about the SSP policy of example.com.  If
it cannot, Gmail is discouraged to sign such messages since
signing them may reduce the chance the message gets delivered.

I don't see how gmail is discouraged by simply signing. In
fact, the act of signing may provide input to some unspecified
whitelist which allows gmail to pass where badguy.com does
not.

If example.com has an exclusive always-sign, non-3rd-party signing
policy, then the above user cannot do something like the above since
any DKIM verifier will fail such messages, regardless of Gmail's
signing policies.

I'm sorry, I don't see what the problem is here. A "user" of
example.com is violating example.com's stated policy. This
sounds exactly like the case that example.com wants to
limit. Is it your position that owners of domains have no
say so about the ToS and that "users" (where "user" =
anybody who wants to assert they are a user, miscreants
and all as is the case today) trump all other considerations?

                Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org