ietf-dkim
[Top] [All Lists]

[ietf-dkim] Re: DKIM signature can mean it's safe to generate bounce?

2007-09-22 18:11:36
Scott Kitterman wrote ten weeks ago:

On Friday 06 July 2007 20:09, Dave Crocker wrote:
It seems to me that if a message has a DKIM signature and the signing
domain matches the domain in the rfc2821.MailFrom command, then it is
safe to generate a bounce message to that address.

By 'safe' I mean that one can be confident that the mail will not go
to an unwitting victim of a spoofed address.
[...]
I expect if limited to the case where 2821 Mail From domain is the 
same as the signing domain it would likely be reasonably effective.
 
SPF Pass would (if available) give you the same or better confidence.

Better because you'd already have this confidence after SMTP MAIL FROM
without DKIM crypto looking at the 2822 header.  SPF also allows to
aggregate more than one "sending provider", that's rather tricky with
DKIM or BATV. 

OTOH you'd never see an SPF PASS behind "taditional" (aka "broken by
1123 5.3.6a") forwarding, where Dave's approach based on DKIM would
still work.  The scenarios aren't equivalent, Dave's method is more
or less limited to cases starting out with 2822-From = MAIL FROM, but
after that it survives forwarding.  

If a mailing list manages to invalidate the DKIM signature Dave's
approach won't work.  But the list could very easily guarantee it's
own SPF PASS, so in practice receivers can handle most sound cases.

 Frank

_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>