Re: [spf-discuss] SPF, DKIM, and NIH

On Sun, 11 Oct 2009, Scott Kitterman wrote:
> Since mailing lists use their own envelope from, I guess I'm missing
> something here.  What would your envolope DKIM be signing and who would
> sign it?
Ok, assume someone using envelope DKIM (which is *not* the same as
DKIM/ADSP) posts to the list.  It arrives at the mailing-list server with an
intact envelope signature.

Now, if the mailing-list is not aware of Envelope-DKIM, it changes the MAIL
FROM: and also mucks around a bit with the body.

When an ultimate recipient receives the message, he will look for an
Envelope-DKIM policy of the *mailing list's domain* (since that's what's in
MAIL FROM:), and find none.  That means that no signatures are required, so
it will accept the mail.  The broken signature is irrelevant, as to
Envelope-DKIM it is now 3rd-party.  (Notwithstanding that it is 1st-party to
DKIM/ADSP.)

If the mailing list is aware of Envelope-DKIM, it will take ownership of the
message, purging the old Envelope-DKIM signature.  It will then put a new
signature in, using its own domain and private key.

This is precisely analogous to the way SPF avoids mailing list FPs. Mailing
lists "friendly forge" the identity DKIM/ADSP cares about, but not the one
SPF and Envelope-DKIM track.

The advatange of Envelope-DKIM is that it would also have DKIM/ADSP's
resistance to forwarder FPs.  The absence of both kinds of FP would allow the
protocol to be spread faster than either SPF or DKIM/ADSP.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com