[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Domainkeys and ISPs

Joe Emenaker wrote:
> Thomas Goirand wrote:
>> Lionel Elie Mamane wrote:
>>  
>>> On Fri, Mar 14, 2008 at 03:59:57PM +0800, Thomas Goirand wrote:
>>>    
>>>> Lionel Elie Mamane wrote:
>>>>       Isn't DKIM supposed to be an auth for the From: field?
>>>>       
>>> Well, then transpose my whole argument to the From: field. It doesn't
>>> make much of a difference.
>>>     
>>
>> Of course it does!
>>   
> Unless I've completely misunderstood DKIM, then it's not supposed to be
> any auth for *any* particular field. The *domain* that you're supposed
> to use to look up the *key* in DKIM is *part* of the signature itself. I
> don't think you're supposed to get it from the From: field or the
> Reply-To: or the Received chain. (DKIM would be too inflexible and would
> break too often if you did that). Look at the sample signature from
> http://www.dkim.org/info/dkim-faq.html#basics
>> If somebody is sending with a From: with a domain installed on my
>> server, then it's going to be either sent from localhost, or using smtp
>> with auth.
> That's the way SPF works. I don't think DKIM is supposed to be that way
> (since my understanding is that DKIM is a response to the shortcomings
> of SPF).
> 
> Suppose a customer of yours is *also* a customer of another ISP
> (competitor.com) and they inadvertently send out through the *other*
> ISP's mail server an email with a return address at a domain (say,
> example.com) that *you* host. I don't see why DKIM doesn't let
> competitor.com sign the message even though it's got user@example.com in
> the From and Reply-to field. The DKIM signature will contain
> competitor.com's domain as the place to go to get the public key to
> verify the message content and things would check out fine.
> 
> Now, competitor.com might have a policy against you doing that... and
> they can reject your message or refuse to sign it. But that's a *policy*
> decision. DKIM is just a mechanism for some domain owner to take
> responsibility for the message. From the dkim.org website, under "What
> does a DKIM signature mean?"...  "The owner of the domain name being
> used for a DKIM signature is declaring that they are accountable for the
> message. This means that their reputation is at stake.". I'm paying
> careful attention to the "domain name being used for a DKIM signature".
> They didn't say "the domain name in the From: field" or "the first
> domain name in the Received chain".
> 
> So, unless I've been smoking too much crack again, there's only one
> reason why you'd want to sign an already DKIM-signed message, and that's
> if the original signer has a tainted reputation and you would like to
> use your reputation to increase the odds of delivery.
> 
> So... what's the deal? Do I have to put the crack pipe away?
> 
> - Joe

You are just right, I was thinking by myself instead of reading the
specifications. Then I don't get how dkimproxy chooses to sign or not a
message, and I shall investigate.

Thomas
Reply to: