Am 2016-11-22 03:15, schrieb Brandon Long:
Also realize that this isn't "Gmail shouldn't sign spam", it's
everyone who normally has a good reputation needs to not sign spam,
this is a way to steal reputation from any service allowing you to
choose your own message, and can be used against any mail receiver.
That said, I think this proposal mostly duplicates spf with some small
benefit, but one can combine the spf and dkim signals to try to combat
this issue without introducing a new standard. Forwarding will take
the worst hit in false positives, but things like arc may help with
that issue separately.
Brandon
The lesson I learned from discussing this draft is:
If you want to DKIM sign your messages you should either
- publish a SPF record (SPF gets mandatory) or
- include the discussed extension (in this case it looks like SPF is not
needed anymore, SPF is optional)
and if a message leaves your ADMD you have to either
- DKIM sign it, if it originates from your ADMD or
- ARC sign it, if it is relayed through your ADMD (recipient has
changed)
It is not enough to use ARC only in the case the message content has
changed. It looks like only then a replay attack can be detected or
mitigated.
Regards,
Michael
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html