Curiously, in my test from gmail.com, the envelope sender and the `Sender' were gmail.com addresses, but the `From' was a local address. Gmail.com used DKIM to authenticate all of those headers. I assume that means that they can't be forged.
Not really. All you know is that they're unchanged from the way they were when gmail signed it. You need some external knowledge about Gmail's practices to know whether they're real.
As it happens, when you add a non-gmail address to a Google account, they send a confirmation mail with a URL you have to click, so in the particular case of Gmail, you can be reasonably sure the address is real. In general, without specific info like that, you can't.
I'd like to whitelist all e-mail from their domain that passes validation, and reject everything else. That would eliminate the phishing messages that are so pervasive now.
I wish people would stop spreading that particular piece of disinformation (and I bet Vern does, too.) DKIM will tell you that mail purporting to be from canadatrust.mobi really is from canadatrust.mobi, but it won't tell you that it's not your bank, it's some domain speculator in Edmonton.
R's, John _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
