Re: [spf-discuss] SPF, DKIM, and NIH

On Mon, 12 Oct 2009, Scott Kitterman wrote:
> This is where I think you go astray.  DKIM has no requirement for the "d"
> domain and the body from domain to match.  So really all you are saying is
DKIM doesn't.  DKIM/ADSP does, although signatures with "wrong" d= are
ignored rather than considered errors -- a fact my proposal counts on.

DKIM was built to allow for third-party signatures, but at present there is
no standard way to indicate that signatures other than that for the From:
domain *are required*.  That's what I want to fix.

> check if the domain used in mail from has a DKIM key record?  If so, that's
> a problem because you need to go to DATA to get the signature to find out
> what the selector is.
No, at MAIL FROM: time you check whether the SPF record has a flag
indicating an envelope signing policy (such as my "fm=dkim" suggestion).
If the flag is set, you know, before seeing the DATA yourself, that either
the message will have a valid signature with d= matching the Return-path:,
or it is forged.

The test is more expensive than SPF, but when supported it is more accurate,
since it is as immune as DKIM/ADSP to the forwarder problem.


And remember, if SPF returns fail *and* you are sure the message is
not a forward, you are still allowed to reject the message without ever
looking at the DATA.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com