Just a quick clarification: You mentioned below that you didn't understand what ESP meant. I honestly have a hard time unraveling the nuanced differences of Email Sending Provider and MTAs, MSAs, MDAs, MTAs, "intermediary" and "forwarder"; all of which an ESP could be providing as a service, depending on the lens one looks at it.
On Sat, Aug 12, 2023, at 2:31 PM, Steffen Nurpmeso wrote: > The only remaining option spammers would have is stripping DKIM > entirely, as you say. It's not what I was saying. If DKIM is what is used by ESPs to authenticate message submissions, and the fallback for non-DKIM signed mail is to allow the submission, then certainly that is something spammers would leverage. That seems like an unlikely scenario since ESPs require other forms of authenticating message submission. I was saying that the ESP would need to strip an existing DKIM signature if it is at risk of replay, and apply it's own pre-RCPT signature in its place (or at least add the additional signature if it knows that receivers will take both signatures into consideration and the original signature is not invalidated by the message modification). If I understand based on my limited view of history, DKIM was designed for authentication between two hops. Signature survival across intermediaries was only achievable by encouraging intermediaries to not make any changes to the message "inside the envelope" such as standards-allowed MIME re-encoding (which, notably, prevents intermediaries from improving MIME interoperability). Jesse > By the way i am a bit troubled by the ESP you mention, for me ESP > translates (even after web search) to Encapsulating Security > Payload of RFC 430[13] aka the Ken05a reference of RFC 4301. But > SMTP continues "not to be Barbie", it is still possible to use > non-encrypted channels for SMTP. >
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim