Hector Santos: > > A bad actor can register look-alike domains and added their own DKIM > > signature sent through any number of providers. Designation does not > > make this problem worse. With the entire email-address being > > internationalized, a problem of visual recognition must be handled > > through other strategies. > > What Frank is saying is the ISP.COM has all power to control this and > protect his users from direct DKIM phish attacks in a very elegant and > graceful manner using SSP. > > Example:
None of these loopholes would exist if d= domains were required to match rfc822.from domains (*). Third party signatures are part of the problem. Making them "work right" requires additional complexity. Complexity leads to error, vulnerability and exploitation. Wietse (*) This is possible even when the signer is in a different domain. All they need is the private key that matches the public key in the d= DNS record. That record can, but does not have to, be CNAME delegated to the signer's DNS. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html