Suresh Ramasubramanian wrote: > 2. DKIM signs all the headers and validation of that hash tends to be > useful to verify grandma is who she is. Or at least its her, or its > comrade botmaster who's just taken over grandma's PC.
This is a common misunderstanding of DKIM: 1. DKIM doesn't have to sign all the header fields. 2. Independent of how much or little it signs, a DKIM signature does not mean that any of the content is "valid", merely that data integrity has been maintained. In particular, there is nothing that says that the author field accurately states who created the message. What is delivered can be verified as what was sent. But what was sent is still free to be incorrect. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html