And the reason why wanting to require both SPF _and_ DKIM passing would be a good thing...
Unfortunately one cannot do that. Greets, Jeroen -- > On 17 May 2024, at 16:12, Taavi Eomäe via mailop <mailop@mailop.org> wrote: > > Hi! > > As part of coordinated disclosure, I am sharing it here as well. In short, > using the approach described below, attackers can replace the entire contents > of a letter, in a way the letters still pass DKIM’s cryptographic checks. > This also means these forged letters can be easily replayed to reach their > victims. This subverts many of the expectations operators have about DKIM > signatures, DMARC and BIMI. > > Although some of these dangers have been known for a while (some parts are > even described in the RFC itself), things like the threat landscape, our > approach and the extent to which this can be abused have changed. In our > opinion previously suggested and (rarely) implemented mitigations do not > reduce these risks sufficiently. > > We hope that with some cooperation from mail operators improved defense > measures can be implemented to strengthen DKIM for everyone. > > > A longer description with images is available here: > https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/ > > > > Best Regards, > Taavi Eomäe > Zone Media OÜ > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
