On Sun, Apr 20, 2025, at 02:50, Dave Crocker wrote: > I believe there is something approximating rough consensus that simply > including the original recipient address in the DKIM signature, and > validating it by the receiver, should be enough to suppress DKIM Replay.
Certainly not consensus on that point as stated here. Not unless you discount alumni forwarders and mailing lists; or expect them to all add a DKIM signature as well. Adding the original recipient address certainly helps a lot, but it still doesn't allow you to get two messages and know if they're a replay or not. The design I co-authored (once all involved parties support it) gives 100% certainty which signing domain split the message into multiple copies, if you receive two messages with the same i=1 first signature. So you know where the replay occurred. Bron. -- Bron Gondwana, CEO, Fastmail Pty Ltd [email protected]
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
