[ietf-dkim] ADSP and From header authentication?
dotis at mail-abuse.org
Wed Oct 22 17:52:56 PDT 2008
The sender-auth draft provides a mechanism for use when ADSP records
are discovered, the From header field can be captured within an
Authentication-Results header. The purpose of the Authentication-
Results header is to convey to MUAs the results of various message
"authentication" checks. Because the Author-Signature definition
limits what is allowed within a compliant DKIM signature, neither
ADSP, Sender-ID, or SPF can properly be described as providing an
authentication of the From header field, PRA, or the MAILFROM email-
address respectively. The Author-Signature definition prevents a
complaint signature "on-behalf-of" value from indicating a From
header field has not been authenticated.
In addition, the path registration process of Sender-ID and SPF only
authorize an SMTP client. An authorized SMTP client will not safely
convey an assurance that the corresponding email-address was
authenticated to represent the author or even being a valid use of the
email-address. Often thousands of email-domains share a common
outbound server that might have only 8 IP addresses. Clearly, an IP
address is not assured to relate to any specific email-address.
S/MIME and OpenPGP provide a means to authenticate an email-address.
At this time, due to the Author-Signature definition, DKIM-ADSP does
not. DKIM without ADSP could offer an assurance that an email-address
was authenticated, since the signature is free to indicate what the
signing domain actually authenticates. What the signing domain
authenticates often differs from that of an email-address contained
within the From or Sender header field. The authentication-header
draft overstates to a dangerous degree what these mechanisms
accomplish by using the term authentication. Fixing the ADSP Author-
Signature definition would help eliminate the assumption of
"authenticated" with respect to DKIM-ADSP.
More information about the ietf-dkim