On Wed, Nov 16, 2016 at 11:50 PM, Michael Storz <michael.st...@lrz.de> wrote:
> > Ok, I see you have removed the hashing of the recipient together with the > email itself. But how do you prevent a replay attack, if the new tag is not > bound to the email and signed with the DKIM-key (that's how I read 4.1.4)? > The spammer could remove the tag or provide his own tag with the new > recipient before resending the email. > The signature signs itself, so removing or changing the tag invalidates the signature. Have a look at RFC6376, Sections 3.5 and 5.1. -MSK
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html