-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected] il.com>, Douglas Foster <[email protected]> writes
[you should probably post these sorts of questions on the DKIM list] >DKIM Relay Defense: When DKIM2 is applied by organization A to the >originating message, recipient C is able to detect with certainty that a >forwarding operation has occurred through organization B. if B applies a DKIM2 signature yes > The message is >also authenticated as long as the DKIM2 signature was applied by the >originating organizations. You cannot tell who applied a signature ... all you can determine is that someone had access to the message and to the private key for the signing domain. The vast majority of mail (by volume) has a DKIM signature applied by the ESP on behalf of the sending organisation (who may well not have a copy of the private key at all). >Without doubt, identifying forwarders is >valuable, and DKIM2 makes the identification easier to perform. However, >to use this data to defeat DKIM reply, recipient C must know whether or not >organization B is a known and trusted forwarder. If you only ever see one incoming message you cannot determine whether a replay has occurred. You can form an opinion about the message based on the systems that the message has traversed of course. If you see multiple messages (with the same hash values) then you can determine whether that is expected (because one of the headers indicates that a system has "exploded" the message) or not. If it is not expected then there is a replay and you may well wish to reject the message. If it is expected then you will need to form an opinion about the reputation of the system that did the "explode". - -- richard writing to inform and not as company policy "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBaYsVPmHfC/FfW545EQL8UACg+RiupbVrBVn4R+z9Njs8p/PF9okAnRFf C+0EM+aX7YPFFkjKWvczK6ni =1qKc -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
