> On Aug 12, 2016, at 11:52 AM, Vick Khera <vi...@khera.org> wrote: > > On Fri, Aug 12, 2016 at 12:34 PM, Steve Atkins <st...@blighty.com> wrote: >> You're vouching for / accepting responsibility for every mail you sign. >> If your users are bad actors - as they are in this case - you're accepting >> responsibility for that. > > So if I took any random message that I came upon signed by you and > spammed the world with it, you take responsibility for that?
I would take responsibility for the message, yes. It's a message I signed and sent. That doesn't change just because it was forwarded to you by someone else. The sole reason for DKIM to be based on a body signature is that there is very little benefit to a bad actor taking someone else's mail and resending it with identical content, and when it comes to spam our mitigation is primarily financial. For example, I receive mail from my bank. It's DKIM signed so I know it's mail from my bank. I can take a thousand copies and send them to other people, and they too will know it's mail from my bank. What I can't do is change the account number, or the message, or the links in the mail. Once I do that, it's no longer mail from my bank. This works pretty well until you allow malicious parties to inject their own content into mail that you take responsibility for by signing it with DKIM. On most levels there's no deception going on by fastmail or their customers. Fastmail vouched for the message, as it was sent by one of their users. They're still vouching for that identical message, even when it's sent from elsewhere. There's nothing particularly new here. It's all pretty well understood, and even discussed a little in the DKIM RFC. And there's not really anything to "fix" other than understanding that a DKIM signature just tells you it's a message sent by someone the domain owner trusts enough to sign their mail. If that domain is wellsfargo.com or paypal.com or whitehouse.gov that tells me one thing about the message. If the domain is yahoo.com, fastmail.com or gmail.com it tells me another. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop