> On 10 Nov 2022, at 13:17, Murray S. Kucherawy <superu...@gmail.com> wrote: > > On Thu, Nov 10, 2022 at 12:54 PM Laura Atkins <la...@wordtothewise.com > <mailto:la...@wordtothewise.com>> wrote: > In many cases, the reason the mail isn’t going out through the signing domain > is because the signing domain’s anti-spam heuristics are good enough that the > sender couldn’t maintain an account there long enough to send out any volume > of email. That’s why the domain has a good reputation - because they block > spam off their network. This is a way to steal the good reputation from the > good ESP. > > Interesting. Almost seems like "SPF against the signing domain" could be a > win, except for all the usual forwarding concerns. > > 2) The messages often have two different To: lines > > This violates RFC 5322, so it would be easy to filter these out, except that > we would need to know how common and tolerated this is today among legitimate > messages.
The other (more common?) case is that the original recipient is in the signed 822.To, while the new recipient is not in the To: or Cc: headers at all. While that’s just the same as old-school alias forwarding, and you might not be able to spot that on any given single email I’d bet that it’s easy to spot and block at a mailbox provider of any size. A heuristic I’ve suggested previously is “If the recipient’s email address is not in the To: or Cc: header then treat the mail as unsigned”. Cheers, Steve
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim