On Tue, 2007-01-23 at 10:07 -0500, [EMAIL PROTECTED] wrote: > Authoritative statements made by a DKIM aware MUA is a good thing. > However from an ISP perspective I would not depend on an end user to > have a DKIM aware MUA but will verify and do Policy silently at my edge > MTA devices. Any mail that makes it past there can still be acted upon > by the MUA.
There are millions of new domains added and removed every day. Checking sender policy is like asking a fox to guard the chicken coop. Should the MTA verify DKIM signatures before applying filters? Don't forget about Display-Name only, clever use of UTF-8, cousin domains, and obfuscations making it appear as though the email-address is displayed. Of course, there is also EAI soon to be embraced by a major part of the world. Exploits will still slip through MTAs, simply because the MTA does not know who the recipient is trusting. Reasonable anti-phishing efforts at the MTA requires content of the message (including content of the links within the message) to be checked, and not just a check of a sender policy. Content checking will not be comprehensive either, as IP address shuttering techniques easily defeat even these difficult checks. Reasonable anti-phishing efforts at the MUA only needs to annotate those email-addresses found in the recipient's address book that are confirmed by a DKIM signature. No sender policy is needed. Content does not matter, look-alikes of any type are thwarted, and this protection is not easily defeated. These MUA extensions can be added as plugins. End user extensions are even available for web clients. Expecting that all DKIM signatures are verified at the MTA is wrong! Expecting that provider's customers should accumulate their private keys at the MTA is wrong! There should _never_ be more than just the provider's private key at the MTA! Association between the email-address domain and the signing domain SHOULD be by REFERENCE! It is absurd to demand that associations are only possible when they are within the same domain. Association by REFERENCE can accommodate the dual identities offered by EAI addresses. Providers must stop trying to obfuscate who is signing and transmitting messages! Annotations based upon DKIM signatures should be directly verified. Early removal of public keys may cause such annotations to not be applied. Expectations that the MTA has verified all DKIM signatures and sender policies should be strongly discouraged. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
