[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain

Tim Gokcen tim.gokcen at mpathix.com
Fri May 4 12:25:58 PDT 2007 

Under the DomainKeys spec, I ran into some trouble with respect to 
identifying the sending domain. The DomainKeys spec explicitly says that 
  receiving agents must use the From: or Sender: field to identify the 
sending domain against which to authenticate the DomainKeys signature.

Writing a push-pull mail-forwarding system, I found this restriction 
aggravating with respect to ensuring end-user experience. Ideally we 
want the human recipients to see only the "original" From address and be 
unaware (unless they examine extended header information) that the 
message was forwarded. Of course different e-mail programs will behave 
differently, but most, for example, do not show low-level fields such as 
"Received:", so it should be possible.

However, we would also like to ensure that the receiving MTA is able to 
verify our server using Domain Keys, SPF/Sender-ID, etc., in order to 
avoid the messages being identified as forged-return-address spam.

With SPF/Sender-ID, we can do this by populating the "Resent-From" field 
with an address belonging to the forwarding domain. Hotmail and other 
SPF/Sender-ID verifiers correctly find our SPF domain records and 
validate the Resent-From.

With Domain Keys, we were forced to use the "Sender" field, but the 
downside is that some e-mail programs (e.g., Outlook 2003) display this 
field to users, displaying "From XXX sent on behalf of YYY" where XXX is 
the Sender field and YYY is the From field.

I notice that the new DKIM spec (draft-ietf-dkim-base-10) does not 
explicitly say which header field receiving agents are supposed to 
verify signatures against. Section 6.1 seems to imply that the "From" 
field can be verified, but neither confirms nor denies whether more 
hidden fields such as "Resent-From" (or "Resent-Sender") could be used.

Is the selection of what to verify against truly absent from the DKIM 
spec? Is there anything we can do in order to ensure that the receiving 
mail server (verifier) is able to correlate the sending domain with a 
DKIM entry and thus verify the message against our published DNS TXT 
records, without resorting to highly-visible fields such as "From" or 
"Sender"?

-- 
Tim Gokcen
Mpathix - Development

More information about the dkim-dev mailing list