[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain

Dave Crocker dhc at dcrocker.net
Sat May 5 16:39:37 PDT 2007 


Tim Gokcen wrote:
> I guess what I'm really trying to ask here is, does DKIM provide a 
> mechanism to tell the receiving MTA *which* field a particular DKIM 
> signature is intended to apply to? 

DKIM specifies which fields are part of the signature.  So I suppose the 
question is what you mean by "apply to".  From your earlier notes in this 
thread, you appear to focus on something akin to authorship.

What experience with path registration schemes, like SPF and Sender-ID, and 
with DomainKeys, has underscored is that we can have simplistic models that 
work only some of the time, or we can have a flexible model that applies more 
broadly.  DKIM takes this latter approach.

The real challenge is that this is a layered topic and DKIM works at the 
bottom layer:  Allow someone to take responsibility.  Once you have a 
responsible identity, you can a) let them make assertions about their 
behavior, and b) let others make assertions about their behavior.  The 
combination of these two let receiving engines make handling decisions.

Anything that is more tightly integrated tends to look great, for simple 
cases, but falls apart beyond them.


> Right now, we are using only the older DomainKeys spec, and in 
> particular this causes our messages to fail verification with Yahoo's 
> mail servers since the signing identity is in Resent-From (instead of 
>  From or Sender) as we wish to mask the relay from the MUA. As I 

Whereas DKIM let's you use any identity you want.


> understand it, the idea of DKIM & DomainKeys (and SPF & Sender-ID) is 
> not necessarily to validate that a message "from" joe at domain.com is 
> *really* from that address, but to provide a mechanism whereby an MTA at 
> some point in the relay chain cryptographically asserts a certain 
> responsibility for the message. This increases the verifiability of that 
> relaying agent, and thus on the receiving side the MTA may decide to 
> trust the message more than it otherwise would, since if the message 
> turns out to be spam/phishing/etc. junk, then at least there is some 
> degree of accountability.
> 
> Is my reasoning correct?

Yup.

d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

More information about the dkim-dev mailing list