https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7233
--- Comment #5 from Mark Martinec <[email protected]> --- The DKIM plugin (when validating) does not enforce that a DKIM signature must also sign a From header field, although the RFC does require a signer to include a From header field in a signature. If a DKIM signature does include a From header field in a signature (the 'h' tag) but the From is missing or has been changed in transit, the signature won't be considered valid, same as with any other message modification. There is no requirement that a domain name of the author address in a From header field must match the signing domain (the 'd' tag) of a signature: if it does match, the signature is called author domain signature, otherwise it is a third-party signature. Same goes for an incomplete author address (i.e. a missing domain), which can only be treated as a third-party signature. What is a value of a valid signature (author-domain signature _or_ a 3rd party signature) solely depends on a reputation of a signing domain. A reputable signing domain can be used for whitelisting or adding some negative score points. A DKIM signature from a non-reputable domain is not worth anything: as far as the score goes it is equivalent to a broken (non-valid) or absent signature. Apart from informational/debugging purposes, I see no point in providing extra rules just to distinguish a valid DKIM-signed third-party signature with a missing domain in a From header field from any other valid third-party signature (likely it won't be valid anyway). Similarly there is no point in distinguishing an invalid (or missing) signature based on the presence or absence of a sensible address in a From header field. It all boils down to a reputation of a signing domain: if a seemingly reputable signing domain is willing to sign such mail with an incomplete author address, perhaps its reputation is overrated. -- You are receiving this mail because: You are the assignee for the bug.
