spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-12 08:40:12
On Mon, 12 Oct 2009, Scott Kitterman wrote:
How does this happen?  Mail from is a property of the SMTP dialogue that is
only added to the message as return path by the receiver, so I don't
understand what there would be for the sender to sign?

By envelope signature I don't mean a signature that *protects* the MAIL
FROM:/Return-Path: from modifications -- that is indeed impossible in RFC
4871.  I mean one whose *relevance depends* on the fact that domain specified
in the signature "d=" option coincides with the right-hand-side of the MAIL
FROM: address.

Relayers are free to change the MAIL FROM:, and far from blocking them from
changing it, if they do change it this frees them to drop the signature
without consequence.

The only thing they can't do is change the MAIL FROM: to a domain they don't
have a private key for, or tamper with the body while preserving a MAIL FROM:
they don't have the private key for.

----- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com