On Tue 22/Nov/2022 01:21:00 +0100 Murray S. Kucherawy wrote:
Just for the sake of being complete, we should probably come up with
something to say about this, which is in RFC 4686, the DKIM "threats"
document:
DKIM operates entirely on the content (body and selected header
fields) of the message, as defined in RFC 2822 [RFC2822]. The
transmission of messages via SMTP, defined in RFC 2821 [RFC2821], and
such elements as the envelope-from and envelope-to addresses and the
HELO domain are not relevant to DKIM verification. This is an
intentional decision made to allow verification of messages via
protocols other than SMTP, such as POP [RFC1939] and IMAP [RFC3501]
which an MUA acting as a verifier might use.
We actually seemed to like the idea, at least back then, that the signature
survives delivery so that it can be validated at any point later.
Indeed, there are products, like Lieser's DKIM verifier plugin for
Thunderbird[*], which verify DKIM on the MUA.
Best
Ale
--
[*] https://github.com/lieser/dkim_verifier
https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
