[ietf-dkim] Capturing DKIM relationships to thwart look-alikes
dotis at mail-abuse.org
Tue Sep 12 10:52:11 PDT 2006
On Sep 12, 2006, at 10:30 AM, Wietse Venema wrote:
> I get mail that pretends to be from my bank. The SSP says the mail
> is 100% pure non-forged. However, the DKIM-BASE signing domain is
> not in my list of trusted signing domains. I get a warning that
> this mail could be sent by a party that I have no relationip with.
> This may be a revolutionary concept to some, but a widely used
> application called ssh has been using such tricks for 10 years. Its
> approach to opportunistic authentication is not perfect for
> purists, but it works for real people.
> Having gone in circles twice, I think this is a good time to step
> out of this thread.
I am in complete agreement with your statement. Rather that offering
a warning, not offering a positive annotation akin to the browser
lock-icon should also work.
While the capturing of the DKIM signing-domain with that of the email-
address would work, this could be made more reliable by adopting
conventions for conveying when the signing domain has assured the
email-address in some fashion. In addition, policy could also help
reduce risks associated with the capturing efforts by confirming
email-address/signing-domain associations. With policy, it might
also be possible to only capture the email-address itself, where
policy makes the signing-domain association.
More information about the ietf-dkim