On 15 Jul 2021, at 18:07, Douglas Foster wrote: >> The aligned DKIM signature test can have three conclusions, not just two: >> >> · Fully Authenticated: A signature is present, a DNS public >> key is available, and the key can be used to verify the signature. >> >> · Provided: A signature is present, and a DNS public key is >> available, but the key cannot be used to validate the signature. >> >> · No Signature or No key: A signature is not present or is >> present but the DNS public key is not available. >> >> If the domain owner indicates that all messages originate with a >> signature, then messages with “No Signature or No Key” are verifiably not >> from the domain owner and can be confidently repudiated.
Why would “Provided” be handled any differently from “No signature or no key”? An attacker can easily provide a signature for a message they are spoofing, and after observing some of that domain’s traffic will know what selector name to use that has a published public key. DKIM is very explicit about its results: either the signature verifies or it does not. There is no third case. -Jim _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
