On July 20, 2005 at 08:04, SM wrote:
What prevents a malicious domain from spoofing a sender's address?
I.e. Is there anything in DKIM that (effectively) prevents a malicious
domain from using my personal address, or any one elses address?
The receiver's domain determines what action to take if the email
fails verification. If the published sender's DKIM policy states
that all email is signed, such spoofs can be caught.
In the example I provide, no signature failure occurs.
Is this enough for an end user to determine that Joe User actually
sent the email?
No, it isn't enough for Joe User. :) The MUA could display a
prominent alert in such a case.
Unless I am overlooking something, can you explain to me how
the signature will fail in the example I provided?
The problem I am raising is the DKIM does not protect the sender/author
address adequately. I.e. It does not allow _me_ to protect my
personal address from getting used by malicious domains.
Why is this? DKIM does not adequately protect the From: field,
or allow the signed address be different from the signer's domain.
To provide adequate protection, then one or more of
the following should occur:
* The author/sender is allowed to specify which domains are
authorized to sign messages. This could be done via a DNS
lookup on the signed address. If I know I send messages
via certain providers, I can include those providers in
my nameserver.
* DKIM is modified to handle better when the From: is different
from the signed address. Validators may be REQUIRED to replace
From: with the signed address, or consider such messages
in error. Since DKIM does not support the signed address
from being in a different domain from the signer's domain,
then, maybe, different domain From addresses should not
be allowed.
Thomas made a good point about the problems of rewriting the From:
by DKIM validators. Therefore, it should be considered that the
"from" be captured during signing. For example:
DKIM-From: joe(_at_)example(_dot_)com
And this is the From that is used during verification. If verification
succeeds, the From: field is replaced by the value DKIM-From so
MUAs see the From that was signed. The existing DKIM-From is left
untouched so MUAs, or other agents, can still verify the signature.
--ewh