>From: Matus UHLAR - fantomas <uh...@fantomas.sk> >>>> On Fri, 5 May 2017, David Jones wrote: >>>> >>>>> I think I would have to write a simple SA plugin to compare the >>>>> envelope-from with the DKIM signature domain to see if they matched >>>>> then I could use a meta rule to glue all of this together.
>>>John Hardin skrev den 2017-05-05 21:45: >>>> Or file a bug to get it implemented in the base DKIM plugin. I suspect >>>> extending that would be easier (and neater in the long run) than a >>>> parallel plugin for just that one DKIM check. >>>From: Benny Pedersen <m...@junc.eu> >>>http://search.cpan.org/dist/Mail-DMARC/ >> >>>who will make the missing sa plugin to it ? >On 05.05.17 20:22, David Jones wrote: >>I just filed a bug per John's recommendation but I think it >>would be best to put that logic into a DMARC plugin since >>this is getting into what DMARC does. >agreed but there's still one thing I don't understand: >If a mail is DKIM-signed, it means that it's authenticated, including >headers like From:. Authentication and authorization are very different things. >what's the point of checking if SPF and DKIM domains match? >This way authentic (but forwarded, e.g. through mailing lists) mail will get >"caught" but what's the poit of it? DKIM signing only does authentication to prevent tampering with the body and headers. It doesn't have to do with authorization that like SPF does. Both authentication and authorization are needed to prove an email is from who it claims to be and not altered. Of course a compromised mail account can send both an authorized and authenticated email with malicious content. You don't want to whitelist_auth domains with real user accounts that can be compromised.
