Re: Domainkeys and ISPs
Joe Emenaker wrote:
> Thomas Goirand wrote:
>> Lionel Elie Mamane wrote:
>>> On Fri, Mar 14, 2008 at 03:59:57PM +0800, Thomas Goirand wrote:
>>>> Lionel Elie Mamane wrote:
>>>> Isn't DKIM supposed to be an auth for the From: field?
>>> Well, then transpose my whole argument to the From: field. It doesn't
>>> make much of a difference.
>> Of course it does!
> Unless I've completely misunderstood DKIM, then it's not supposed to be
> any auth for *any* particular field. The *domain* that you're supposed
> to use to look up the *key* in DKIM is *part* of the signature itself. I
> don't think you're supposed to get it from the From: field or the
> Reply-To: or the Received chain. (DKIM would be too inflexible and would
> break too often if you did that). Look at the sample signature from
>> If somebody is sending with a From: with a domain installed on my
>> server, then it's going to be either sent from localhost, or using smtp
>> with auth.
> That's the way SPF works. I don't think DKIM is supposed to be that way
> (since my understanding is that DKIM is a response to the shortcomings
> of SPF).
> Suppose a customer of yours is *also* a customer of another ISP
> (competitor.com) and they inadvertently send out through the *other*
> ISP's mail server an email with a return address at a domain (say,
> example.com) that *you* host. I don't see why DKIM doesn't let
> competitor.com sign the message even though it's got firstname.lastname@example.org in
> the From and Reply-to field. The DKIM signature will contain
> competitor.com's domain as the place to go to get the public key to
> verify the message content and things would check out fine.
> Now, competitor.com might have a policy against you doing that... and
> they can reject your message or refuse to sign it. But that's a *policy*
> decision. DKIM is just a mechanism for some domain owner to take
> responsibility for the message. From the dkim.org website, under "What
> does a DKIM signature mean?"... "The owner of the domain name being
> used for a DKIM signature is declaring that they are accountable for the
> message. This means that their reputation is at stake.". I'm paying
> careful attention to the "domain name being used for a DKIM signature".
> They didn't say "the domain name in the From: field" or "the first
> domain name in the Received chain".
> So, unless I've been smoking too much crack again, there's only one
> reason why you'd want to sign an already DKIM-signed message, and that's
> if the original signer has a tainted reputation and you would like to
> use your reputation to increase the odds of delivery.
> So... what's the deal? Do I have to put the crack pipe away?
> - Joe
You are just right, I was thinking by myself instead of reading the
specifications. Then I don't get how dkimproxy chooses to sign or not a
message, and I shall investigate.