-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected] il.com>, Douglas Foster <[email protected]> writes
> A DKIM signature acts like a notary public, "This person, who is > well known to me, can be reliably associated with this document." no it doesn't -- it says ... I (as identified by this key) had sight of this email and was able to alter it > Signing works for DMARC only when the DKIM signer has actually > validated the entity before adding the signature. signing works for DMARC because of alignment ... nothing else > I know of no discussion > about how a gateway authenticates its clients and how an evaluator > knows that the signature was applied to an authenticated message. that's outwith the DKIM/DMARC model > This is relevant for at least Outlook.com. It does not enforce SPF > on incoming messages, but does assume that the incoming identity is > valid. It then adds a signature for the purported client, using > either "<clientproxy>.onmicrosoft.com" or the actual client domain, > depending on the client's DNS configuration. This can produce > false DMARC Pass, sometimes with Dual Authentication. This attack > strategy has been observed in the wild. there is a great deal of mail coming from large systems which has a DMARC pass and does not actually come from where it purports to... [snip] > More generally, a message should only be considered DMARC-validated > if it can be validated at every organization change. There are > many obstacles to making that determination. ARC is clearly part > of the solution. I would agree that ARC is required (along with trust in the entity that added the ARC headers) when messages have been altered since they were originally created... I don't think it is a general solution to dealing with the failings of SPF - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZuLdLt2nQQHFxEViEQJwzwCdGM3lF3Br3mQuBjm5gLD4PiFlpfQAoIW9 FZBlgu8Q/9ihbpf+UOACE1gQ =IJQu -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
