[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review

To: asrg at irtf.org
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review
From: John Levine <johnl at taugh.com>
Date: 27 May 2009 21:55:10 -0000
Cc:
Delivered-to: asrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=k0905; olt=johnl at user.iecc.com; bh=ndgHEwm1f2XwY5rbBiZNAR749VKb1llyp6MctPvPdbY=; b=pGTtVeOnphinbMrSdKzfe8uPJeKXlc2VnZmwfUBzd+5uJ9Sm5GKftYX3MVUYafAYioEwSXeRtoyN6x6eqNu0DhxKlzsOEzK5h1T7GnkBHq2q0nnTwYFEAE0fzFM+l0tQjtuTq5rkijPYM69pA0+WKw3iYXJE6dLoIjJwLTHY9Mw=
Dkim-signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=k0905; bh=ndgHEwm1f2XwY5rbBiZNAR749VKb1llyp6MctPvPdbY=; b=Wtg5iOwRYqkWUlPPYOuaGCrdzpvV3J4YQa6mTp4sIhZgyNaeKSJpc8hY1v32lgmMVNsuzHHsVkm/erJ2SjRTr2lF+Eg6j9mZoKbY2enaZcCPvCkkHkKSPn8yr1I9bKWi2yiNoC6ZkGDvaKUutwL/kofERfl6P4U61zjq/bXm/Fs=
In-reply-to: <3be421270905240058l423fdb91wcf599f9ba270c9f1 at mail.gmail.com>
List-archive: <http://www.irtf.org/mail-archive/web/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
Organization:
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>

>Title: DNS-based Email Sender Authentication Mechanisms: a Critical Review

Dave is right -- this misunderstands what DKIM does.  The only validated
identity is the signer, which need bear no relationship to any other header
domain, e.g.

 DKIM-Signature: ... d=rbn.ru; ...
 From: Bank of America Security <security at paypal.com>

The From: header is signed, but the only domain that DKIM
authenticates here is rbn.ru.  It doesn't say anything about the
legitimacy or lack thereof of the address security at paypal.com, or of
the string "Bank of America Security" which is what a whole lot of
MUAs will actually display.

Even if the d= domain matches the domain on the From: line, it still
doesn't promise that the address is "real".  This is an important
point that a lot of people misunderstand.

R's,
John

References:
- [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review
  - From: Amir Herzberg

Prev by Date: Re: [Asrg] rDNS
Next by Date: [Asrg] DNS over SCTP (was: Re: DNS-based Email Sender Authentication Mechanisms: a Critical Review
Previous by thread: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review
Index(es):
- Date
- Thread