On 2022-11-09 13:37, Bill Cole via mailop wrote:
On 2022-11-09 at 06:47:55 UTC-0500 (Wed, 09 Nov 2022 11:47:55 +0000)
MRob via mailop <[email protected]>
is rumored to have said:
On 2022-11-09 08:40, Slavko via mailop wrote:
Dňa 9. 11. o 0:34 MRob via mailop napísal(a):
... But if microsoft agree to DKIM-sign using envelope-from
(**signature including the FROM header**) shouldnt that mean it is
seeing the headers and can of course validate FROM header? For me
that show extra proof microsoft allowing free-form uncheked spoofing
DKIM doesn't validates any of signed header(s). It only digitaly
signs
them to receiver can verify that they wasn't modified on transport
(from signer to receiver). Nothing more, nothing less.
Not questioning about DKIM. The point is microsoft has FROM header in
its hand so it *can* easily do validation to the user account to
disallow spoof.
Not so much.
If I send mail via an MS service and put in a (working) address in my
own domain in the From header. How is Microsoft supposed to "validate"
that?
Easy, user register their addresses in their MS acct, MS only send with
FROM in allowed list
What they'd need to do in that case is to have alternative address
registration and confirmation at a per-user granularity. Users hate
that.
MS and you agree: users hate that so best decision is allow free-form
spoofing :(
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
