On Oct 13, 2010, at 11:27 AM, Jeff Macdonald wrote: > > > And even if there was a DKIM signature, it is the BAD GUY'S signature, > which should cause it to go into the SPAM folder, with a large > phishing warning. > > <rant> > Count me as one of those who was confused early on about what DKIM > provides. DKIM seems to make assurances to message integrity. But it > doesn't. I think the reason why many think it does is because of the > body hash. It is trying to do to much. It should just provide an > identifier that can be verified. Instead of using the body for > hashing, use the Message-ID header along with the Date header and just > hash that. That way most folks would understand DKIM is just providing > an Identifier. > </rant>
The reason for the body hash is solely to prevent replay attacks - where a spammer receives legitimate email, then reuses the signature to send out spam. That's the only reason it's there, not for anything to do with message integrity, but it is a good reason for it to be there. That this has been documented and evangelized poorly is something to rant about, perhaps. Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html