[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain
Douglas Otis
dotis at mail-abuse.org
Fri May 4 15:21:31 PDT 2007
On May 4, 2007, at 2:17 PM, Murray S. Kucherawy wrote:
>> Is there anything we can do in order to ensure that the receiving
>> mail server (verifier) is able to correlate the sending domain
>> with a DKIM entry and thus verify the message against our
>> published DNS TXT records, without resorting to highly-visible
>> fields such as "From" or "Sender"?
>
> You can make local policy assertions such as only trusting a From:
> and Sender: header when the domain in each matches the "d=" value
> for a signature that validated, from which you can infer that they
> were likely genuine. Such, however, are outside of the scope of
> DKIM's base specification.
No sender assurances exist to safely permit an inference that a
specific email-address is genuine when matched against the signing
domain. That is an opaque function of the signing domain.
The DOSP scheme would permit assured associations between any email
originating domain. This scheme could be used to assure the mail-
from, ehlo, or any other email header contained within the message.
http://tools.ietf.org/wg/dkim/draft-otis-dkim-dosp-02.txt
-Doug
More information about the dkim-dev
mailing list