[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain

[Murray S. Kucherawy]

On Fri, 4 May 2007, Tim Gokcen wrote:
> I notice that the new DKIM spec (draft-ietf-dkim-base-10) does not 
> explicitly say which header field receiving agents are supposed to 
> verify signatures against. Section 6.1 seems to imply that the "From" 
> field can be verified, but neither confirms nor denies whether more 
> hidden fields such as "Resent-From" (or "Resent-Sender") could be used.

Section 6.1 says the "From" header must me signed, but that's the only 
such assertion in the document.

DKIM itself makes no assertion about the validity of the content of any 
header apart from the signature itself.  The only thing it can guarantee 
is that the headers and body that arrived which were included in the 
signature were unaltered in transit (other than header ordering).

> Is the selection of what to verify against truly absent from the DKIM 
> spec?

In the context in which you're operating, it is.

> Is there anything we can do in order to ensure that the receiving mail 
> server (verifier) is able to correlate the sending domain with a DKIM 
> entry and thus verify the message against our published DNS TXT records, 
> without resorting to highly-visible fields such as "From" or "Sender"?

You can make local policy assertions such as only trusting a From: and 
Sender: header when the domain in each matches the "d=" value for a 
signature that validated, from which you can infer that they were likely 
genuine.  Such, however, are outside of the scope of DKIM's base 
specification.

-MSK