The problem here is that the signer isn't shown prominently in MUA's. Here is where the QR code comes in.
So yes, a phisher might own a own domain, lets say spammydomain.xyz, and get the mail legitimately signed as spammydomain.xyz and get DMARC/DKIM pass. That’s why I suggest this QR code scheme to make the signature more visible and prominent on the email (like a pen and paper signature on a snail-mail document) so when someone verifies the signature, it will be very prominent that spammydomain.xyz did sign the mail and not yourbank.com. Gmail already has a user interface to show SPF and DKIM signatures, by pressing the little down arrow on "To: me". That’s whats DKIM really lacking - authentication. Just that the email is signed isn't enough. It should be signed by the person that you are expecting to send the email, in this case yourbank.com And if some sort of authentication is added, it would practically be impossible to create a email that shows up as signed by "yourbank.com". -----Ursprungligt meddelande----- Från: John Levine via mailop <mailop@mailop.org> Skickat: den 14 december 2021 15:53 Till: mailop@mailop.org Kopia: thomasm-mai...@wupper.com Ämne: Re: [mailop] Idea for new internet standard: DKIM-QR It appears that Thomas Mechtersheimer via mailop <thomasm-mai...@wupper.com> said: >for DKIM/DMARC checking in MUAs and prominently displaying these >authentication results, which would get the same level of securtiy with >already existing standards. Please keep in mind that level of security is "none". People who send phishes know how to add DKIM signatures and get DMARC alignment. They are often better at it than some legit senders. DKIM and DMARC are useful but only as part of an overall mail filtering scheme, not as FUSSPs. R's, John _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
