On Fri, 5 May 2017 17:45:37 +0000 David Jones wrote: > From: RW <rwmailli...@googlemail.com> > > >On Fri, 5 May 2017 14:51:32 +0000 > >David Jones wrote: > > >> >I know. I do not want to validate the envelope from with DKIM. I > >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN > >> >used in the envelopefrom. > >> > >> >So the only thing I want with the envelop from is to extract the > >> >domain and test if the mail was DKIM signed (and valid) by that > >> >domain. > >> > >> >This tells me the envelope from is not some random spoofed > >> >address, but actually controlled by someone who handled the > >> >e-mail before it arrived at our mta. > >> > >> This actually would be a very useful rule/logic to add to SA: > >> > >> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/ > >> > > >So what would be the point in running a separate DKIM test against > >the envelope if you are looking for alignment. > > I don't think this would be a separate DKIM test necessarily. It > should be a combination of SPF_PASS + DKIM_VALID_AU + the > envelope-from matches the DKIM-signed domain. This is basically > perfect DMARC alignment where the domain has "p=reject" and DMARC > would pass meaning the domain was not spoofed.
Alignment of the two from address is needed in DMARC so that SPF can match on the same domain that the MUA displays (if it even does). It doesn't do anything for DKIM. I don't seen why anyone one would want a form of whitelisting where a DKIM pass on a trusted domain would be ignored if there's no SPF pass.
