The idea here was that it would be easier kind of, to create DKIM validation method, that only the sender and the sender's server need to be take part it, and then any user can validate the email, regardless of lack of support in the client or receiving server.
The result the program would show on-screen in a popup, along with the details of the email. Like this: "Signature is valid and verified to be signed by: yourbank.com" (yourbank.com is the domain taken from d= parameter) "From: k...@yourbank.com" (From: header, if signed) "To: y...@yourprovider.com" (To: header, if signed) "Subject: Submit your details now to validate your account" (Subject, if signed) "Date: Fri, 10 nov, 2021 18:23:55" (Date, if signed) An user scanning such a QR code, would then look at phone screen, and then look on computer screen. Details in popup matches the email they see (so the QR code is not "stolen" from a legitimate email). They now know the email is legitimate, they can now freely click links, fill in details and do their validation without fear of phishing. I do agree that email clients should do DKIM validation, but getting every email client to do DKIM validation is a pretty tricky part. If the client software and receiving server can be left out of equation, then this could appear as apps in app-store where you easily can download a "DKIM-QR validator" like you can download a covidpass scanner from app store today, and if this gets traction enough, the feature would get implemented in phone's native cameras like Samsung has. The tricky part would be to get this to become a internet-wide standard, that then goes out all news, and gets same traction as SPF and DKIM gets. Then banks will have their QR in emails "DKIM-QR: Scan to verify its genuine" and even Paypal could use such a feature. -----Ursprungligt meddelande----- Från: John Levine via mailop <mailop@mailop.org> Skickat: den 12 december 2021 00:04 Till: mailop@mailop.org Kopia: sebast...@sebbe.eu Ämne: Re: [mailop] Idea for new internet standard: DKIM-QR It appears that Sebastian Nielsen via mailop <sebast...@sebbe.eu> said: >And now to why this would be useful: > >An receiver of an email, could then scan the QR code with his mobile >phone, and the mobile app would do the validation against public DNS. >This, if this would become a standard, could be even implemented built-in in >phones. Since the DKIM signature is part of the mail message, if you want your phone to do that, why wouldn't you just have the phone's mail program validate the signature in the usual way? Phones pick up mail by IMAP, so if they are sufficiently online to do IMAP, they can do DNS queries. There's the more basic question of what the program would do with the result. Surely everyone here knows that "valid signature" has no connection to "not spam" or "not phish". R's, JOhn _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
