Scott Kitterman wrote on Monday, April 16, 2007 9:13 AM -0500:
On Monday 16 April 2007 10:03, Seth Goodman wrote:
DKIM does validate the From: address independently,
No. It does not. It may, but it does not.
The DKIM Sender Signing Policy (SSP) is not yet designed (the protocol
requirements were just finished) and it may or may not be effective
for this.
Today, based on the DKIM-base RFC that has been approved there is no
way to tie signing domain to From domain (or any other header).
Thanks for pointing this out. I'll have to look at the current RFC.
Any authentication protocol that is optional only works if the recipient
can query the sender's policy out-of-band (not in the message). If the
only information the recipient has is what's presented in the DKIM
signature header, they can only trust it if the domain that supplies the
public key is the same as the sender domain, whatever you consider that
to be. How does DKIM currently deal with combinations of From:,
Sender:, Resent-*: addresses to determine sender domain?
In any case, I think my point about MAILFROM: == From: for the majority
of legitimate messages still holds. SPF pass also validates From: when
it uses the same domain (well, really PRA, not strictly From:). Unlike
DKIM + DKIM sender signing policy (I assume they will get there), SPF
pass tells you nothing about From: when different than MAILFROM:.
However, adding scope to SPF, either directly or via op= modifier, is a
*much* lighter weight method for both senders and recipients to
accomplish the same thing.
--
Seth Goodman
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com