Thiyaga:
Hi,
We recently decided to implement DKIM in our organization.
While reading through the RFC, I found a possible case, where the
authentication is lost. (Sorry if it is already discussed and a known
issue)
Scenario:
Let's assume a spammer wants to spam email accounts on domain "X.com" and
the spammer uses a domain "Y.com". Both the domains have implemented DKIM.
This looks like a standard replay attack. Such technique can't be
used to send SPAM on behalf of domains that don't sign SPAM (e.g.,
porcupine.org). If a domain is willing to sign SPAM, then they
deserve that all their messages are handled with great prejudice.
It is possible to take DKIM-signed messages with signature and all,
and to append SPAM at the bottom, but that is not a very effective
way to reach many eyeballs.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html