Hector Santos:
> > A bad actor can register look-alike domains and added their own DKIM
> > signature sent through any number of providers. Designation does not
> > make this problem worse. With the entire email-address being
> > internationalized, a problem of visual recognition must be handled
> > through other strategies.
>
> What Frank is saying is the ISP.COM has all power to control this and
> protect his users from direct DKIM phish attacks in a very elegant and
> graceful manner using SSP.
>
> Example:
None of these loopholes would exist if d= domains were required to
match rfc822.from domains (*). Third party signatures are part of
the problem. Making them "work right" requires additional complexity.
Complexity leads to error, vulnerability and exploitation.
Wietse
(*) This is possible even when the signer is in a different domain.
All they need is the private key that matches the public key
in the d= DNS record. That record can, but does not have to,
be CNAME delegated to the signer's DNS.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
