On 7/19/2020 8:08 AM, John Levine wrote:
This tells us that at least at one big gorilla, the header address isn't something that users see. This leads to two questions, one being why the From address is a better authentication handle than, say, DKIM d=.
I think the possibility of d= hasn't been considered seriously. I'm not going advocate, but it's worth thinking about this a bit, just to make sure we understand it's implications.
I've thought (assumed, recall) that From: was chosen because it is the only address value in email that is required to be present. So it gives you a domain name to start from and then look up for a DMARC record.
There is always that domain name, even when there is no authentication information.
It's only possible to use the d= if there is a signature. So a downgrade attack would succeed by merely removing the DKIM information.
d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
