spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] DKIM modifier

2005-09-12 07:49:54
from [william(at)elan.net] [Permanent Link] 

On Mon, 12 Sep 2005, Julian Mehnle wrote:


Both SPF and DKIM tighten up the mail system's rules in their own ways for
those who choose to participate.  Meng Weng Wong has long been advocating
variant (b)[1,2] with the intent to solve the "forwarding problem".  The
problem with this however is that the assertions made by successful SPF
and DKIM checks are not exactly equivalent.  SPF (like Sender ID) says:
"The last hop, i.e. the calling IP address, was allowed to use the sender
domain", while DKIM says "The message has, at some time, passed through
an MTA of the sender domain".


Depending on how SPF is used, mostly its that "The message is coming
from MTA authorized by sender domain" where as with DKIM it would be
"The message has passed through MTA authorized by sender domain".

So there is not as much difference here. Except of course that "sender"
is not the same for DKIM.


As a result I don't think that variant (b) is "the right thing to do".


Most likely you're right and (b) is not ok.


Also, assuming we allowed "the domain owner" to specify which variant they
prefer, there is always the possibility that the SPF domain doesn't match
the DKIM domain (i.e. MAIL FROM:<lamer(_at_)aol(_dot_)com>, Sender: 
snake(_at_)pit(_dot_)com).


DKIM does not operate on "Sender" nor on any other identity - they only
key point seems to be "d" tag of DKIM, but what identity assertions it
makes are purposely not made clear. In this way I can't quite grasp if
it would or would not be ok to use signature result if "d" is checked
and verified to be same as MAILFROM (just info that DKIM is pass is
useless for sure). if identities were clearly different like "Sender"
and MAILFROM, then I'd have definitely said no.


In that case, should the SPF domain owner be allowed to specify that the
authenticity (yeah, go ahead and stone me to death) of the DKIM domain
should or should not be checked?


Depends on what kind of policy assertion it makes. If policy assertion
is that all MTAs associated with such and such MAILFROM domain add the this signature (which is what simple modifier means) that is fine and basicly means that message can be rejected if it does not have the signature. This really does not change the MAILFROM checking at SMTP session and just says that if you're at the data stage and you don't 
find the signature, then something is not right.

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] solving the forwarding problem, Theo Schlossnagle
Next by Date:  Re: [spf-discuss] solving the forwarding problem, Mark Shewmaker
Previous by Thread:  Re: [spf-discuss] DKIM modifier, Julian Mehnle
Next by Thread:  Re: [spf-discuss] DKIM modifier, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]