t.petch wrote:
It functions, but does not work, in that it tells me nothing about the true origin of the communication.
Yes and No and that the main problem with DKIM, which I see is the lack of 3rd party signal controls or put another way - anyone, middle ware and especially list servers can blindly DKIM resign mail without restrictions. That lack of control has cause originating authoring domains, copyright holders of mail, all benefits of supporting DKIM.
The current approach is that original domains no longer have any rights whatsoever to declare they are the only signers allowed to sign mail and any deviation from that expectation should be indication of protocol failure - "Reject it!"
Unfortunately, in order to allow a list server or any 3rd party middleware to exist with DKIM (re)signing features, it needs to ignore any original DKIM domain signing practice or expectations.
No domain that wishes exclusive signing operations should be sending their signed mail to a public service forum. We know this, but we don't have the controls to disallow faults or bad guys attempting to create a facsimile of your domain signed mail in public areas or directly to others.
Finally, as DKIM was revamped from secured Author-Domain signing protocol to a "anyone can signed" 3rd party Trust vendor protocol, the problem we face is we don't have consistency with 3rd party trust tables. For DKIM to work, every validators needs a copy of the same trust tables. DKIM is a protocol that requires Batteries in order to work and everyone must use the same batteries.
-- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf