ietf-mailsig
[Top] [All Lists]

Re: DKIM: Does DKIM provide adequate protection from a malicious domain from spoofing a sender's address?

2005-07-20 13:32:06

Earl Hood wrote:

[Maybe this is not within the scope of DKIM, but I will ask it
anyway since it may affect how well DKIM is accepted.]

What prevents a malicious domain from spoofing a sender's address?
I.e.  Is there anything in DKIM that (effectively) prevents a malicious
domain from using my personal address, or any one elses address?
This was -- and continues to be -- the subject of much debate. The compromise
was to have the mechanics for binding the dkim address (eg i=) to outside
addresses (eg From) addressed in the signing policy draft. Due to time constraints, the text that was in DKIM base did not make it into ssp, but it should go back in
the next rev.

I think that the longer term answer with resigners (eg, mailing lists) is that
they want to preserve the original DKIM signature bound to the From
address as well as resign it themselves. At some level, resigners (ie,
signers who want to preserve the original From address) will need to be
dealt with in the reputation domain because there is no obvious other
difference between:

From: mike(_at_)mtcc(_dot_)com
Sender: list(_at_)yahoogroups(_dot_)com

and

From: mike(_at_)mtcc(_dot_)com
Sender: vile(_at_)spammer(_dot_)com

if the original From signature is missing or broken.

      Mike


<Prev in Thread] Current Thread [Next in Thread>