On Sun, 27 Oct 2024, Tero Kivinen wrote:
If there is no malicous forwarders, you can just trust the ARC headers they put in, and if they said DKIM was valid when it came in, you can trust it...
First, I really would encourage you to read Richard's draft, again if you already have, because most of this is addressed there.
With ARC you cannot tell whether it's really a forward, so the reputation of the forwarder is the only thing you have.
With DKIM2 a malicious forwarder would have to take a signed message sent to that forwarder, make changes, and sign it again and send it out.
DKIM2 puts the envelope recipient in the signature so you can't forward some random message you found in an archive, you can only forward a message sent *to you*, and it has date stamps, so it has to be a message sent to you recently.
I suppose some kind of spear phishing would make this worthwhile, but the need to start with a recent message sent from someone with a good reputation to you makes it a lot harder.
R's, John _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
