[Asrg] where the message originated (was: DKIM role?) (SM)
Ian Eiloart
iane at sussex.ac.uk
Tue Jan 20 06:54:27 PST 2009
--On 20 January 2009 09:02:31 -0500 Dotzero <dotzero at gmail.com> wrote:
>
> Why aren't they supposed to do that?
Well, because they haven't delivered the message yet, for example. They
might be about to forward it to another MTA. I know that Exim does most of
its header manipulation before delivery.
> How many MUAs are checking DKIM
> signatures at the moment?
Probably none, but it's an obvious thing to want to do, isn't it? Anyway,
what's the point of delivering a message with DKIM signature that you've
already broken. At least, you could remove the signature.
> I can think of a numbe rof ISPs that are
> adding headers to indicate various checks. From a DKIM perspective,
> the less you sign the greater the risk. Don't do the body length (full
> length that is)? Evil bad person can engate in replay attacks with
> content of their choice.
>
> This is not only about what you prefer personally. This is about what
> works generally. You work for a University. What percentage of your
> endusers are checking DKIM? I'm going to take a wild leap and assert
> that it approximates zero if it isn't actually zero.
>
> As far as I know, DKIM checking is happening at the MTA or in
> association with the MTA (Seperate host behind the front line MTA or
> something similar). It isn't happening at the user level. And that
> makes sense, at least to me. Maybe in some distant future MUAs will do
> DKIM checking but I wouldn't hold my breath.
--
Ian Eiloart
IT Services, University of Sussex
x3148
More information about the Asrg
mailing list