On 23 Jun 2011, at 20:00, Douglas Otis wrote: >> >> This seems like a completely bogus argument to me. You're saying that >> some domains can't be trusted, therefore none can be trusted. That's >> a logical fallacy. > > Not at all. Acceptance policies and results for DKIM MUST align with > what is being displayed in the message. Otherwise malefactors may be > able to exploit open and large volume domain's signatures and their lack > of duplicates in the signed header list (which most don't do). The > pre-pended header fields could then be that of any high value domain. > These messages might have been accepted on the false premise of being > from a high volume domain when based upon valid DKIM signature indications.
Right, but DKIM is checked at the MTA. If I think that messages DKIM signed by, say, my local council, are trustworthy, then I apply a spam score accordingly. The fact that someone else might spoof a From: header in a different mail stream says nothing about whether I can trust the stream from my local council. So, it may be that the practical outcome is to improve the deliverability of mail for a trusted signer, which is a different problem. But that's still useful. With ADSP, of course, there's also a chance of spotting spoofed messages. And, if multiple "From:" headers become a popular spoofing mechanism, I guess sites will stop accepting them. I accept that DKIM doesn't solve every problem, but that doesn't mean that it has no value. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
