On 6/17/11 1:05 PM, Rolf E. Sonneveld wrote: > Dear all, > > after some off-list conversation with Dave he suggested I might want to > send this to the list. I apologize in advance if this message does not > apply to you. I also apologize if you get this message twice, when you > are subscribed to both ietf-dkim and the opendkim list. [] > Regards, > /rolf
Hi Rolf, The general goal of DKIM was to establish a domain relationship as a trust basis for acceptance. DKIM was also to allow incremental deployment without requiring undefined additional filtering performed by mail transfer or mail user agents. When essential format checks are skipped, this deficiency allows acceptance based upon DKIM's domain to be potentially deceptive where its results may play an evil role that cannot be repaired through the use of reputation. Free email providers likely use DKIM to take advantage of their "too big to block" volumes. For these domains, their reputation is understood to offer little assurance of their overall integrity. By allowing a pre-pended From header field to not affect the validity of a DKIM signature according to the specification means the UNDERSTOOD source of a message can NEVER be trusted. Those that phish by taking advantage of this flaw are unlikely to affect the acceptance of any exploited high volume domain. DKIM could have avoided the offering of false assurances by not ignoring illegal header fields per RFC5322 and defining such messages as resulting in invalid signatures. At this time, it would be prudent to NOT recommend use of DKIM due to this and a lack of required Fake A-label detection. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
