ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DKIM: Does DKIM provide adequate protection from a malicious domain from spoofing a sender's address?

2005-07-20 10:43:51
from [Earl Hood] [Permanent Link] 

On July 20, 2005 at 08:04, SM wrote:


What prevents a malicious domain from spoofing a sender's address?
I.e.  Is there anything in DKIM that (effectively) prevents a malicious
domain from using my personal address, or any one elses address?


The receiver's domain determines what action to take if the email 
fails verification.  If the published sender's DKIM policy states 
that all email is signed, such spoofs can be caught.


In the example I provide, no signature failure occurs.


Is this enough for an end user to determine that Joe User actually
sent the email?


No, it isn't enough for Joe User. :)  The MUA could display a 
prominent alert in such a case.


Unless I am overlooking something, can you explain to me how
the signature will fail in the example I provided?

The problem I am raising is the DKIM does not protect the sender/author
address adequately.  I.e.  It does not allow _me_ to protect my
personal address from getting used by malicious domains.

Why is this?  DKIM does not adequately protect the From: field,
or allow the signed address be different from the signer's domain.
To provide adequate protection, then one or more of
the following should occur:

  * The author/sender is allowed to specify which domains are
    authorized to sign messages.  This could be done via a DNS
    lookup on the signed address.  If I know I send messages
    via certain providers, I can include those providers in
    my nameserver.

  * DKIM is modified to handle better when the From: is different
    from the signed address.  Validators may be REQUIRED to replace
    From: with the signed address, or consider such messages
    in error.  Since DKIM does not support the signed address
    from being in a different domain from the signer's domain,
    then, maybe, different domain From addresses should not
    be allowed.

Thomas made a good point about the problems of rewriting the From:
by DKIM validators.  Therefore, it should be considered that the
"from" be captured during signing.  For example:

  DKIM-From: joe(_at_)example(_dot_)com

And this is the From that is used during verification.  If verification
succeeds, the From: field is replaced by the value DKIM-From so
MUAs see the From that was signed.  The existing DKIM-From is left
untouched so MUAs, or other agents, can still verify the signature.

--ewh
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: nowsp considered harmful, Douglas Otis
Next by Date:  Re: draft-allman-dkim-base-00 6.6: Advice given would invalidate the DKIM signature., Earl Hood
Previous by Thread:  Re: DKIM: Does DKIM provide adequate protection from a malicious domain from spoofing a sender's address?, SM
Next by Thread:  Re: DKIM: Does DKIM provide adequate protection from a malicious domain from spoofing a sender's address?, SM
Indexes:  [Date] [Thread] [Top] [All Lists]