Thomas Goirand wrote:
Unless I've completely misunderstood DKIM, then it's not supposed to be any auth for *any* particular field. The *domain* that you're supposed to use to look up the *key* in DKIM is *part* of the signature itself. I don't think you're supposed to get it from the From: field or the Reply-To: or the Received chain. (DKIM would be too inflexible and would break too often if you did that). Look at the sample signature from http://www.dkim.org/info/dkim-faq.html#basicsLionel Elie Mamane wrote:On Fri, Mar 14, 2008 at 03:59:57PM +0800, Thomas Goirand wrote:Lionel Elie Mamane wrote:Isn't DKIM supposed to be an auth for the From: field?Well, then transpose my whole argument to the From: field. It doesn't make much of a difference.Of course it does!
That's the way SPF works. I don't think DKIM is supposed to be that way (since my understanding is that DKIM is a response to the shortcomings of SPF).If somebody is sending with a From: with a domain installed on my server, then it's going to be either sent from localhost, or using smtp with auth.
Suppose a customer of yours is *also* a customer of another ISP (competitor.com) and they inadvertently send out through the *other* ISP's mail server an email with a return address at a domain (say, example.com) that *you* host. I don't see why DKIM doesn't let competitor.com sign the message even though it's got user@example.com in the From and Reply-to field. The DKIM signature will contain competitor.com's domain as the place to go to get the public key to verify the message content and things would check out fine.
Now, competitor.com might have a policy against you doing that... and they can reject your message or refuse to sign it. But that's a *policy* decision. DKIM is just a mechanism for some domain owner to take responsibility for the message. From the dkim.org website, under "What does a DKIM signature mean?"... "The owner of the domain name being used for a DKIM signature is declaring that they are accountable for the message. This means that their reputation is at stake.". I'm paying careful attention to the "domain name being used for a DKIM signature". They didn't say "the domain name in the From: field" or "the first domain name in the Received chain".
So, unless I've been smoking too much crack again, there's only one reason why you'd want to sign an already DKIM-signed message, and that's if the original signer has a tainted reputation and you would like to use your reputation to increase the odds of delivery.
So... what's the deal? Do I have to put the crack pipe away? - Joe