[ietf-dkim] Change to Section 6
dotis at mail-abuse.org
Tue Jan 23 08:38:37 PST 2007
On Tue, 2007-01-23 at 10:07 -0500, Bill.Oxley at cox.com wrote:
> Authoritative statements made by a DKIM aware MUA is a good thing.
> However from an ISP perspective I would not depend on an end user to
> have a DKIM aware MUA but will verify and do Policy silently at my edge
> MTA devices. Any mail that makes it past there can still be acted upon
> by the MUA.
There are millions of new domains added and removed every day. Checking
sender policy is like asking a fox to guard the chicken coop. Should
the MTA verify DKIM signatures before applying filters? Don't forget
about Display-Name only, clever use of UTF-8, cousin domains, and
obfuscations making it appear as though the email-address is displayed.
Of course, there is also EAI soon to be embraced by a major part of the
world. Exploits will still slip through MTAs, simply because the MTA
does not know who the recipient is trusting.
Reasonable anti-phishing efforts at the MTA requires content of the
message (including content of the links within the message) to be
checked, and not just a check of a sender policy. Content checking will
not be comprehensive either, as IP address shuttering techniques easily
defeat even these difficult checks.
Reasonable anti-phishing efforts at the MUA only needs to annotate those
email-addresses found in the recipient's address book that are confirmed
by a DKIM signature. No sender policy is needed. Content does not
matter, look-alikes of any type are thwarted, and this protection is not
easily defeated. These MUA extensions can be added as plugins. End
user extensions are even available for web clients.
Expecting that all DKIM signatures are verified at the MTA is wrong!
Expecting that provider's customers should accumulate their private keys
at the MTA is wrong! There should _never_ be more than just the
provider's private key at the MTA! Association between the
email-address domain and the signing domain SHOULD be by REFERENCE! It
is absurd to demand that associations are only possible when they are
within the same domain. Association by REFERENCE can accommodate the
dual identities offered by EAI addresses. Providers must stop trying to
obfuscate who is signing and transmitting messages!
Annotations based upon DKIM signatures should be directly verified.
Early removal of public keys may cause such annotations to not be
applied. Expectations that the MTA has verified all DKIM signatures and
sender policies should be strongly discouraged.
More information about the ietf-dkim