There's one problem with DKIM as a phishing defense, which I have mentioned in passing a few times here, but no one else seems to have taken up discussion of.
An e-mail From: usually has two parts. One is the email address itself. The other part is the full name of the sender. Usually the address is enclosed in angle brackets while the remainer of the header is the full name, although there is an alternative form where the full name is in parentheses and the address is bare. Full names are not used in routing and not registered anywhere. Neither DKIM nor anything else can validate them. Nonetheless, in summaries of incoming mail, MUAs tend to display *just* the full name. Hence, I could send a phish as: "From: PayPal <[email protected]>" and (so long as the content was good enough) fool an unsuspicious user while passing ADSP with flying colors. An already-suspicious user could see through it -- but such a user would probably look at the other headers and notice anomalies without needing the help of DKIM. All ADSP would do is help declutter his mailbox of the forgeries that don't use this trick. By the way, this is why I consider the double-From: problem to be a molehill. If widely used, the double-From: would quickly appear in SpamAssassin and the like -- one doesn't even need to do any cryptographic work to detect and block it. In contrast, detecting false full names would require some sort of registry that does not exist at present. ---- Michael Deutschmann <[email protected]> _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
