spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Cole" <>
Subject Re: SPF
Date Wed, 08 May 2019 04:26:41 GMT
On 6 May 2019, at 17:10, Grant Taylor wrote:

> On 5/3/19 2:02 PM, Bill Cole wrote:
>> If the signer domain and the From header domain match, a valid DKIM signature that
includes the From header is authentication of the From header to the limits of DNS trustworthiness
and trust in the integrity of the domain's authority.
> Which section of RFC 6376 supports this statement?

The parts that use the word "domain."

There is a basic premise grounded in the the definition of domain names and buttressed by
the use of domain names in effectively everything else that domains have a unitary executive:
that the entity which publishes a public key in a DKIM record, the entity that signs mail
with the corresponding private key, and the entity that controls the email local-part namespace
for the domain are all one entity, as far as the world is concerned.

> I just re-read large chunks of RFC 6376 and see verbiage that states the opposite.  All
of which seem to me to specifically avoid drawing any conclusion about the authorship of a
message within the context of DKIM.  Further, such conclusions are left to other things making
policy decisions based on DKIM results.
> | § 3.11 - Relationship between SDID and AUID
> |
> | INFORMATIVE DISCUSSION: This document does not require the value
> | of the SDID or AUID to match an identifier in any other message
> | header field.
> DKIM does not require SDID or AUID to match any other header field.  As such, DKIM itself
can't be relied upon as authentication of other header fields.

Non sequitur.

DKIM itself does not require any sort of match. It is entirely valid for a signer to sign
with a key whose domain is unrelated to any domain in the message or its envelope.

However, in ALL cases the DKIM signer is claiming responsibility for the message being signed.
What that claim is worth in all cases is not specified by DKIM. In a special case (DKIM signer
domain = From address domain) the conceptual nature of the DNS implies that the claim of responsibility
is de facto authentication.

> | This requirement is, instead, an Assessor policy issue.
> Per § 2.7, the Identity Assessor "consumed DKIM's payload" which tells me that it is
not part of DKIM.  I believe that "Other DKIM (and non-DKIM) values can also be used by the
Identity Assessor…."  supports the fact that the Identity Assessor is external to DKIM.

This does not mean that it does not exist or that it doesn't need to follow some basic rules.
SpamAssassin has a DKIM_VALID_AU rule because a basic rule it understands about assessing
identity is that a domain signer should know whether a From in its domain is valid.

Bill Cole or
(AKA @grumpybozo and many * addresses)
Available For Hire:

View raw message