On Jul 6, 2007, at 5:09 PM, Dave Crocker wrote:
Folks,
I'm not sure whether this fits into SSP or not, since it does not
seem to require that a record be published. However...
It seems to me that if a message has a DKIM signature and the
signing domain matches the domain in the rfc2821.MailFrom command,
then it is safe to generate a bounce message to that address.
By 'safe' I mean that one can be confident that the mail will not
go to an unwitting victim of a spoofed address.
Am I missing something?
I made the same point in the tpa-ssp draft. The domain within
rfc2821.MailFrom does not need to be within the signing domain, when
the signing domain and scope are authorized by the MailFrom domain.
One should presume that this is conditions upon the message signature
being valid.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html