> 4. How does the sending MTA know when to stamp this v=2 DKIM header? > Presumably, it would need to have a list of known forwarders stored somewhere?
yeah, CDKIM suffers from the same spoofing issue DKIM-D does. 1. aka, if u don't create a whitelist for ur sending MTA to know when to use CDKIM or DKIM-D, and when it should not, 2. but instead choose to verbatim include either with every messages u send, 3. any of ur non-ML receivers can just misuse ur CDKIM/DKIM-D, 4. copying it to their email, 5. and signing with their own domain [which was, originally, allowed with ur CDKIM/DKIM-D, as it appears in To:]. so, to solve this spoofing hole, u fallback to whitelisting, making sure ur MTA uses CDKIM/DKIM-D only on email u know will go through legitimate 3rd party munging and resigning. however, all that work with implementing new header protocol, and creating a whitelist, while still worrying if ur CDKIM/DKIM-D will get through to final receiver intact and functional, all while u have no solution for other 3rd party sending on ur behalf, makes me believe these r half-baked solutions, and i would choose to specify alignment exemption policy through DNS instead, which does require u make a whitelist, ofc, but other than inputing it into DNS, doesn't require u do anything else with it, meaning ur MTA is unchanged, ur DKIM software is the same, and any additional work is on DMARC receiver which has to upgrade its DMARC verifier to handle 3rd party alignment, but which it has to do anyway, as DMARC is still new and changing, and making changes to something new is much easier than changing something old and widespread as DKIM. -- Vlatko Salaj aka goodone http://goodone.tk _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
