On 10/20/10 8:10 AM, Ian Eiloart wrote: > --On 19 October 2010 11:35:53 -0400 "John R. Levine" <[email protected]> > wrote: > >> True, but there already are UI designs that indicate when a From > >> header is DKIM verified. > > > > So you're saying that all a spammer has to do is to put on a > > throwaway domain's signature, and the MUA will highlight at least > > parts of the message with green goodness? Surely our understanding > > of domain reputation is better than that. > > I believe that's the basis of this whole discussion, isn't it. The > point is that the MUA tells you whether the header was signed, and > leaves you to apply the domain or address reputation. I think that's > a step forward. At least, it is when I know the purported author. > And, surely I'm better at assigning reputation to -say- my brother > than any automated system is.
DKIM does not authenticate the From header field, however it provides authenticated DKIM domains that are, at a minimum, bound with the From header field. When the DKIM domain is "Big-Bank.com", and you or your system trusts this domain, there should also be less concern related to whether a From header field containing "[email protected]" offers deceptive information. > But, hey, I'm on your side here. I think we should put a warning in > the RFC so that vendors are informed that they need to be sure > they're highlighting the correct header. Why? There would not be a problem when DKIM verification results return PERMFAIL when there is any doubt which From header field might be selected when more than one exists. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
