Re: Domainkeys and ISPs
Thomas Goirand wrote:
Unless I've completely misunderstood DKIM, then it's not supposed to be
any auth for *any* particular field. The *domain* that you're supposed
to use to look up the *key* in DKIM is *part* of the signature itself. I
don't think you're supposed to get it from the From: field or the
Reply-To: or the Received chain. (DKIM would be too inflexible and would
break too often if you did that). Look at the sample signature from
Lionel Elie Mamane wrote:
On Fri, Mar 14, 2008 at 03:59:57PM +0800, Thomas Goirand wrote:
Lionel Elie Mamane wrote:
Isn't DKIM supposed to be an auth for the From: field?
Well, then transpose my whole argument to the From: field. It doesn't
make much of a difference.
Of course it does!
That's the way SPF works. I don't think DKIM is supposed to be that way
(since my understanding is that DKIM is a response to the shortcomings
If somebody is sending with a From: with a domain installed on my
server, then it's going to be either sent from localhost, or using smtp
Suppose a customer of yours is *also* a customer of another ISP
(competitor.com) and they inadvertently send out through the *other*
ISP's mail server an email with a return address at a domain (say,
example.com) that *you* host. I don't see why DKIM doesn't let
competitor.com sign the message even though it's got email@example.com in
the From and Reply-to field. The DKIM signature will contain
competitor.com's domain as the place to go to get the public key to
verify the message content and things would check out fine.
Now, competitor.com might have a policy against you doing that... and
they can reject your message or refuse to sign it. But that's a *policy*
decision. DKIM is just a mechanism for some domain owner to take
responsibility for the message. From the dkim.org website, under "What
does a DKIM signature mean?"... "The owner of the domain name being
used for a DKIM signature is declaring that they are accountable for the
message. This means that their reputation is at stake.". I'm paying
careful attention to the "domain name being used for a DKIM signature".
They didn't say "the domain name in the From: field" or "the first
domain name in the Received chain".
So, unless I've been smoking too much crack again, there's only one
reason why you'd want to sign an already DKIM-signed message, and that's
if the original signer has a tainted reputation and you would like to
use your reputation to increase the odds of delivery.
So... what's the deal? Do I have to put the crack pipe away?