[ietf-dkim] DKIM signature can mean it's safe to generate bounce?
Steve Atkins
steve at blighty.com
Fri Jul 6 17:59:51 PDT 2007
On Jul 6, 2007, at 5:31 PM, Douglas Otis wrote:
>
> On Jul 6, 2007, at 5:19 PM, Steve Atkins wrote:
>
>>
>> On Jul 6, 2007, at 5:09 PM, Dave Crocker wrote:
>>
>>> Folks,
>>>
>>> I'm not sure whether this fits into SSP or not, since it does not
>>> seem to require that a record be published. However...
>>>
>>> It seems to me that if a message has a DKIM signature and the
>>> signing domain matches the domain in the rfc2821.MailFrom
>>> command, then it is safe to generate a bounce message to that
>>> address.
>>>
>>> By 'safe' I mean that one can be confident that the mail will not
>>> go to an unwitting victim of a spoofed address.
>>>
>>> Am I missing something?
>>
>> If the mail is sent by dick at earthlink.net (or a virus on their
>> machine), with an envelope from address of jane at earthlink.net out
>> through the DKIM stamping earthlink smarthost and you generate a
>> bounce, that bounce will go to Jane.
>
> Earthlink added the signature. This falls into the same category
> as would any replay problem. Once again, tpa-ssp helps cope with
> that issue as well.
Why do you consider this a "replay problem" when there is no replay
involved?
Cheers,
Steve
More information about the ietf-dkim
mailing list