On Tue 29/Sep/2020 19:26:21 +0200 Dave Crocker wrote:
On 9/29/2020 6:40 AM, Hector Santos wrote:
On 9/27/2020 11:44 PM, Dave Crocker wrote:
DKIM has a single signature binding requirement, the 5322.From
DMARC establishes the relationship.
I don't read it that way.
DKIM binds the signer d= domain and the from.domain with no enforcement on it
nor any indication that they are related when they not the same (the missing
link).
Absolutely not. Please re-read the DKIM specification more carefully. It is
quite explicit that it is doing not doing this.
I think that by "binding" Hector meant this:
5.4. Determine the Header Fields to Sign
The From header field MUST be signed (that is, included in the "h="
tag of the resulting DKIM-Signature header field).
https://tools.ietf.org/html/rfc6376#section-3.4
The spec doesn't say why, but obviously holds that the From: domain is a
specially meaningful one. There are various other passages, for example:
The order in which Verifiers try DKIM-Signature header fields is not
defined; Verifiers MAY try signatures in any order they like. For
example, one implementation might try the signatures in textual
order, whereas another might try signatures by identities that match
the contents of the From header field before trying other signatures.
https://tools.ietf.org/html/rfc6376#section-8.15
(I think this can be an answer to part [2] of ticket #38.)
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
