[ietf-dkim] draft-ietf-dkim-mailinglists-02 review
chl at clerew.man.ac.uk
Mon Sep 13 03:57:52 PDT 2010
On Fri, 10 Sep 2010 23:37:46 +0100, Steve Atkins <steve at wordtothewise.com>
> On Sep 10, 2010, at 2:31 PM, Scott Kitterman wrote:
>> ..... If this negative event can be avoided by the simple mechanism of
>> using a mailing list specific "Message" From, then that is a benefit.
> Rather than go into the general reasons why I think this is not
> something that ADSP users really want, I'll give a concrete
What ADSP users want is irrelevant. This is about what MLMs want (which is
most likely to ensure that submitted messages reach the whole of their
list without problems).
> Lets say this mailing list rewrites the From: address in some
> reasonably mechanical manner, and the From: field of
> this message were rewritten as (making up syntax on
> the fly)...
> From: steve%blighty.com%ietf-dkim at mipassoc.org
> ... such that recipients (or their MUAs) know that this mail
> was sent by steve at blighty.com via a mailing list at
> There's nothing to stop me from sending mail
> From: billing%paypal.com%ietf-dkim at mipassoc.org, as
> the mailing list isn't using ADSP.
Clearly, mailing lists that do things to the From: SHOULD (even MUST)
sign, and any RFC documenting my proposal would include that.
But yes, you could currently send a message to this list From: that
address, but that has nothing to do with whether my suggestion is adopted
or not. I suspect you would soon find yourself blacklisted by the MLM.
> ... And there's certainly
> nothing to prevent me from sending mail from
> billing%paypal.com%ietf-dkim at blighty.com that has
> a valid first-person signature.
Indeed, but that is, and has always been, possible, irrespective of
whether my suggestion is adopted. Phishers have been obfuscating their
From: headers in such ways since forever.
> That means that, as far as the end user is concerned,
> I can send them email that is "from" billing at paypal.com,
> even though paypal.com is using ADSP to ask receivers
> to discard mail that claims to be from paypal.com but
> is not validly signed by paypal.com.
> Given the whole point of ADSP is "Discard if you're not
> sure", I don't think that's what an ADSP using domain
> would want.
Sure they would, but DKIM as specified does not provide that feature
except when everything after the '@' is exact.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim