On 13/Oct/10 20:45, Scott Kitterman wrote: > On Wednesday, October 13, 2010 12:54:23 pm Murray S. Kucherawy wrote: >> If we can extract DKIM from the equation entirely and the problem remains, >> how is it a DKIM problem? > > If the DKIM signature doesn't verify after signed headers have been altered, > then it's not.
Correct. And the way that it fails to verify is h=from:from. The only way that DKIM can consistently account for this exploit is by amending section 5.5 "Recommended Signature Content", and spell what fields MUST/SHOULD be duplicated in the h= tag. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html