Suresh Ramasubramanian wrote:
2. DKIM signs all the headers and validation of that hash tends to be
useful to verify grandma is who she is. Or at least its her, or its
comrade botmaster who's just taken over grandma's PC.
This is a common misunderstanding of DKIM:
1. DKIM doesn't have to sign all the header fields.
2. Independent of how much or little it signs, a DKIM signature does not mean
that any of the content is "valid", merely that data integrity has been
maintained. In particular, there is nothing that says that the author field
accurately states who created the message.
What is delivered can be verified as what was sent. But what was sent is still
free to be incorrect.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html