On Tuesday, November 22, 2022 8:48:48 AM EST Alessandro Vesely wrote: > On Tue 22/Nov/2022 01:21:00 +0100 Murray S. Kucherawy wrote: > > Just for the sake of being complete, we should probably come up with > > something to say about this, which is in RFC 4686, the DKIM "threats" > > > > document: > > DKIM operates entirely on the content (body and selected header > > fields) of the message, as defined in RFC 2822 [RFC2822]. The > > transmission of messages via SMTP, defined in RFC 2821 [RFC2821], and > > such elements as the envelope-from and envelope-to addresses and the > > HELO domain are not relevant to DKIM verification. This is an > > intentional decision made to allow verification of messages via > > protocols other than SMTP, such as POP [RFC1939] and IMAP [RFC3501] > > which an MUA acting as a verifier might use. > > > > We actually seemed to like the idea, at least back then, that the > > signature > > survives delivery so that it can be validated at any point later. > > Indeed, there are products, like Lieser's DKIM verifier plugin for > Thunderbird[*], which verify DKIM on the MUA.
My desktop MUA of choice (kmail) includes the capability too. The initial recipient in the replay scheme is part of the hostile effort, so I don't think anything that requires their cooperation addresses the question in any meaningful way. Scott K _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
