On 2/6/23 10:34 AM, Alessandro Vesely wrote:
On Sat 04/Feb/2023 04:45:15 +0100 Michael Thomas wrote:
On 2/3/23 6:25 PM, Murray S. Kucherawy wrote:
But with respect to replay: Even if To and Cc are signed, there's
nothing in DKIM requiring that they reflect any identities present
in the envelope.
That's not the point. The point is that they are leaving clues to
that the message is suspicious. Not signing To and Subject looks very
sketch.
As I said: a preponderance of evidence. As always with spam detection.
Does that mean that, in case the submission server doesn't trust the
current author, it should create a signature where To: and/or Subject:
are not covered, in order to rise suspicion at receivers?
That sounds convoluted. I still prefer i=bulshit...@gmail.com.
No, I'm saying that the sender can publish what it does and what the
receiver should expect. That no difference in kind to the "we sign
everything" for p=.
Like, say, sh=From|To|Subject|..."
There are probably many other things that the sender can tell the
receiver about their practices as well. That's why the original draft
was called Sender Signing Practices.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
