© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Thanks for talking this over, Scott. To try to summarize, the typical problem case is this:
example.com allows any of their users to pretend to be any other user
example.com accept smtp submissions from their internal network, and on the way out they add a valid signature. However, they don't check that the user part of the From address corresponds to the actual user who sent the mail, therefore intra-domain or cross-user forgery is possible. If DKIM is deployed as a wrapper around the MTA that doesn't connect to mail submission authentication, and if the submission authentication doesn't prevent spoofing, this is quite possible. We don't know how widespread this is and there is no way to tell from the outside whether a particular sender domain allows this or not.
This would be pretty sloppy on the part of example.com, and I think against the spirit of the DKIM spec, but it may be so common that we can't ignore it.
We could reasonably assume that gmail and yahoo don't allow this but other domains do.
The DKIM spec certainly seems to imply that if the From line is signed by the relevant domain then it can be trusted.