[ietf-dkim] A question about DKIM and Phishing
Hector Santos
hsantos at santronics.com
Fri Aug 11 11:14:19 PDT 2006
----- Original Message -----
From: "Stefan Görling" <stefan at gorling.se>
To: <ietf-dkim at mipassoc.org>
Sent: Friday, August 11, 2006 9:10 AM
Subject: [ietf-dkim] A question about DKIM and Phishing
Hi,
> "With DomainKeys, the absence of a verifiable digital signature
> header in an E-mail purporting to be from a domain which has
> a DomainKeys DNS record may indicate that that E-mail is a
> forgery. Thus, E-mails may be divided into three classes:
>
> * valid DomainKey signature: authentic
> * invalid or missing DomainKey signature for a domain with the DNS
> record: usually forged
> * no DNS record or header: unknown status"
>
> As I have understood it, you can not really find the
> DomainKey-DNS-record unless you know the selector, which
> you do not really unless you have a domainKey signature. Is
> this correct or have I misinterpreted the drafts?
Your deduction is correct. Dr. Watson. :-)
See section 3.6.2 describing sender domain policies using an optional DNS
policy record found by using the domain name with the prefix _domainkey.
_domainkey.example.com
Then lookng for the "o=" tag, if any to extract the expected signing
practice.
In short, to be effective, you have to lookup the policy to see what is
expected by the domain. Domainkeys has two policies:
o=- domain signs all mail
o=~ domain somethings sign mail (default)
It is similar to the current DKIM Policy discussions here, regarding the
need to find the policy expectation for signing when the signature is not
there, or there and not expected, and other policy inconsistency
considerations.
DKIM is the child of DomainKeys (Yahoo) + IIM (CISCO).
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
More information about the ietf-dkim
mailing list