Re: [spf-discuss] SPF, DKIM, and NIH

Michael Deutschmann wrote:
> By envelope signature I don't mean a signature that *protects* the MAIL 
> FROM:/Return-Path: from modifications -- that is indeed impossible in RFC 
> 4871.  I mean one whose *relevance depends* on the fact that domain specified 
> in the signature "d=" option coincides with the right-hand-side of the MAIL 
> FROM: address.
> Relayers are free to change the MAIL FROM:, and far from blocking them from 
> changing it, if they do change it this frees them to drop the signature 
> without consequence.
That's very easy to forge, though. As long as spammers sign correctly, 
 they can relay mail apparently coming from 
one(_at_)high-reputation(_dot_)domain without any chance for that domain to mark 
--across multiple relays-- the messages that have been sent from 
authenticated users. In the good cases, final recipients trust the 
list even more than the original "high-reputation.domain", and so it's 
ok to remove broken original signatures. However, that classifies the 
protocol as specific for mailing lists with a good reputation: not the 
generic forwarding-resistant solution that DKIM claims to be.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com