[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain
Murray S. Kucherawy
msk at sendmail.com
Fri May 4 16:44:32 PDT 2007
On Fri, 4 May 2007, Douglas Otis wrote:
> One still can't safely infer that [some]@example.com email-address is
> genuine, even when signing and email-address domains match.
...nor did DKIM ever claim such.
> This overlooks rather complex issues of safely communicating to the user
> the set of conditions considered necessary upon which trust is based.
It assigns the handling of such complex issues to the system
administrator, who is at least in part responsible for local policy
definition and enforcement rather than the user.
I don't expect my users to understand DKIM or its implications, but I do
expect myself (as my domain's administrator) to understand them and pass
that benefit on somehow by simplifying it as much as possible.
> In addition, such trust makes an assumption that the signing domain is
> performing email-address validation. That assumption is not based upon
> any sender assurances.
No, it's making the assertion that I don't care about local-parts when
they come from domains that sign and then successfully verify using DKIM.
I don't know what local-parts might be valid or invalid, but to some
extent I don't care either.
DKIM renders difficult the spoofing of domain names on e-mail. What
you're talking about is preventing spoofing even of local-parts. While it
can't hurt to have such a capability, I don't find its absence to be much
of a showstopper either.
-MSK
More information about the dkim-dev
mailing list