> On Aug 14, 2016, at 10:11 PM, Eliot Lear <[email protected]> wrote: > > > > On 8/14/16 6:46 AM, Steve Atkins wrote: >> If there were a protocol that said "if you receive mail signed by this >> domain / this key and the recipient isn't in the To: or Cc: field, >> block it", or some similar protocol that signed the envelope >> recipient, that would pretty much eliminate DKIM replay as a threat in >> some cases. > > That would be a DKIM flag, right?
Yes, part of the DKIM-Signature header, probably (though that's not a requirement, just one obvious implementation). > And you don't want to block- you just > want the signature treated as invalid. That's one option, and likely the more useful one. > Then normal DMARC processing > could occur. ISPs with actual users probably shouldn't be publishing DMARC p=reject records, because it interferes with normal use of email by their users. Those are exactly the same senders who allow users to generate content which they then sign, so are more than usually vulnerable to replay of DKIM signed messages. (None of this is really about _abuse_ per-se, it's about the control that a domain owner wants to have over the use of their domain in any context. Email, and preventing users of email from using domains, is the current battlefield.) Cheers, Steve _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
