It has been observed by implementations that is it possible to replay a message with a 2nd 5322.From header at the top which wouldn't break the DKIM signature validity, but would often be displayed by MUAs to display the new 5322.From display rather than the signature bound 5322.From header.
For example: From: phis...@badguy.com <-- injected, replayed, shown by MUA DKIM-Signature: d=signer.com .......; From: sig...@address.com <-- hash bound to signature The MUA will display the injected 5322.From header and the signature is still valid because it only signed the bottom one and verifiers also use this header to validate the signature. A review of the the 4871 specification shows this statement in section 5.4 which can explains how this is possible: 5.4. Determine the Header Fields to Sign ... Signers choosing to sign an existing header field that occurs more than once in the message (such as Received) MUST sign the physically last instance of that header field in the header block. Signers wishing to sign multiple instances of such a header field MUST include the header field name multiple times in the h= tag of the DKIM-Signature header field, and MUST sign such header fields in order from the bottom of the header field block to the top. The signer MAY include more instances of a header field name in h= than there are actual corresponding header fields to indicate that additional header fields of that name SHOULD NOT be added. There needs to be a special consideration where: 1) Verifiers and MDAs consider checking for violating RFC5322 messages with multiple 5322.From headers and rejected it, or 1) hash verification should be done for all 5322.From fields and not just the last one as the above paragraph implies. 2) signing should be done for all 5322.From fields found, even though RFC5322 recommends only one 5322.From should be used. I propose the following addition text by adding to 48721bis to address this serious issue; Special Consideration for Verifying and Signing From: Header As an exception, header hash verification MUST be done for all 5322.From fields and not just the last one. Signing MUST be done for all 5322.From fields found, even though RFC5322 recommends only one 5322.From should be used. This will mitigate any replay that prepends a new 5322.From header to a DKIM signature valid message. Some MUAs have should to display only the first 5322.From header found. -- Hector Santos, CTO http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html