Douglas Otis wrote:
On Tue, 2007-01-23 at 10:07 -0500, Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
Authoritative statements made by a DKIM aware MUA is a good thing.
However from an ISP perspective I would not depend on an end user to
have a DKIM aware MUA but will verify and do Policy silently at my edge
MTA devices. Any mail that makes it past there can still be acted upon
by the MUA.
There are millions of new domains added and removed every day.
And if true, any given average node only sees 0.001% of them if that.
Should the MTA verify DKIM signatures before applying filters?
Thats out of your control.
> Don't forget about Display-Name only, clever use of UTF-8,
> cousin domains, and obfuscations making it appear as though
the email-address is displayed.
So if the MTA can't handle it, we'll pass you that junk so you can deal
with it. A six pack your MUA can't deal with it neither!
Of course, there is also EAI soon to be embraced by a major part of the
world. Exploits will still slip through MTAs, simply because the MTA
does not know who the recipient is trusting.
Reasonable anti-phishing efforts at the MTA requires content of the
message (including content of the links within the message) to be
checked, and not just a check of a sender policy. Content checking will
not be comprehensive either, as IP address shuttering techniques easily
defeat even these difficult checks.
Reasonable anti-phishing efforts at the MUA only needs to annotate those
email-addresses found in the recipient's address book that are confirmed
by a DKIM signature. No sender policy is needed. Content does not
matter, look-alikes of any type are thwarted, and this protection is not
easily defeated. These MUA extensions can be added as plugins. End
user extensions are even available for web clients.
Expecting that all DKIM signatures are verified at the MTA is wrong!
Expecting that provider's customers should accumulate their private keys
at the MTA is wrong! There should _never_ be more than just the
provider's private key at the MTA! Association between the
email-address domain and the signing domain SHOULD be by REFERENCE! It
is absurd to demand that associations are only possible when they are
within the same domain. Association by REFERENCE can accommodate the
dual identities offered by EAI addresses. Providers must stop trying to
obfuscate who is signing and transmitting messages!
Annotations based upon DKIM signatures should be directly verified.
Early removal of public keys may cause such annotations to not be
applied. Expectations that the MTA has verified all DKIM signatures and
sender policies should be strongly discouraged.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html