[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain
Dave Crocker
dhc at dcrocker.net
Sun May 6 15:51:25 PDT 2007
Tim Gokcen wrote:
> my problem is how do I make sure that the receiving MTA will go:
>
> "mpathix.com signature that includes several fields..., oh, look,
> Resent-From is from that domain. I'll do a DNS TXT lookup on the
> selector (etc.) for mpathix.com and see if it matches this sigature...."
There seem to be two different issues here:
1. Who signed the message? What is the assessment of that signer?
2. Given a particular assessment of a signer, does it matter what domain name
is specified in another field, such as From or Resent-From? If the answer is
yes, then what is the list of fields that matter and what are the rules for
the way they should be handled (for this particular signer)?
In other words, going down the path you seem to have in mind seems quite
reasonable, but actually entails quite a bit of detail and, I suspect, quite a
few unknowns about policies and their use in a highly distributed environment.
> What I'd like is some kind of assurance (or ability to specify) that a
> receiving MTA will check the Resent-From field (or anything else) when
> matching the d= parameter. Maybe that lays too much of an onus on the
> receiving MTA, though.
One of the lessons of the DKIM work has been that there are no assurances that
receivers will behave in a particular way. A signer can offer information. A
standard can recommend how the information is used. But there are no
assurances that the receiver will follow the guidance.
That said, the best step towards the goal you suggest is to document what a
particular header/signature combination is supposed to mean.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the dkim-dev
mailing list