[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain
Murray S. Kucherawy
msk at sendmail.com
Fri May 4 15:43:53 PDT 2007
On Fri, 4 May 2007, Douglas Otis wrote:
> No sender assurances exist to safely permit an inference that a specific
> email-address is genuine when matched against the signing domain. That
> is an opaque function of the signing domain.
If I get mail which was signed by example.com, the signature verifies, and
the From: contains an example.com address, on what grounds other than
arbitrary ones would I distrust the contents of the From: header?
Certainly someone could've hacked example.com's machines or found a way to
generate mail that they will sign, but that doesn't change what you can
infer from DKIM. If I'm willing to trust that their machines are safe, my
assertion is sound.
-MSK
More information about the dkim-dev
mailing list