On Jul 6, 2007, at 5:31 PM, Douglas Otis wrote:
On Jul 6, 2007, at 5:19 PM, Steve Atkins wrote:
On Jul 6, 2007, at 5:09 PM, Dave Crocker wrote:
Folks,
I'm not sure whether this fits into SSP or not, since it does not
seem to require that a record be published. However...
It seems to me that if a message has a DKIM signature and the
signing domain matches the domain in the rfc2821.MailFrom
command, then it is safe to generate a bounce message to that
address.
By 'safe' I mean that one can be confident that the mail will not
go to an unwitting victim of a spoofed address.
Am I missing something?
If the mail is sent by dick(_at_)earthlink(_dot_)net (or a virus on their
machine), with an envelope from address of jane(_at_)earthlink(_dot_)net out
through the DKIM stamping earthlink smarthost and you generate a
bounce, that bounce will go to Jane.
Earthlink added the signature. This falls into the same category
as would any replay problem. Once again, tpa-ssp helps cope with
that issue as well.
Why do you consider this a "replay problem" when there is no replay
involved?
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html