Hector Santos:
A bad actor can register look-alike domains and added their own DKIM
signature sent through any number of providers. Designation does not
make this problem worse. With the entire email-address being
internationalized, a problem of visual recognition must be handled
through other strategies.
What Frank is saying is the ISP.COM has all power to control this and
protect his users from direct DKIM phish attacks in a very elegant and
graceful manner using SSP.
Example:
None of these loopholes would exist if d= domains were required to
match rfc822.from domains (*). Third party signatures are part of
the problem. Making them "work right" requires additional complexity.
Complexity leads to error, vulnerability and exploitation.
Wietse
(*) This is possible even when the signer is in a different domain.
All they need is the private key that matches the public key
in the d= DNS record. That record can, but does not have to,
be CNAME delegated to the signer's DNS.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html