DKIM becomes more official

John L
Sun Oct 28 18:01:18 UTC 2007

> Curiously, in my test from, the envelope sender and the
> `Sender' were addresses, but the `From' was a local address.
> used DKIM to authenticate all of those headers.  I assume
> that means that they can't be forged.

Not really.  All you know is that they're unchanged from the way they were 
when gmail signed it.  You need some external knowledge about Gmail's 
practices to know whether they're real.

As it happens, when you add a non-gmail address to a Google account, they 
send a confirmation mail with a URL you have to click, so in the 
particular case of Gmail, you can be reasonably sure the address is real. 
In general, without specific info like that, you can't.

> I'd like to whitelist all e-mail from their domain that passes 
> validation, and reject everything else.  That would eliminate the 
> phishing messages that are so pervasive now.

I wish people would stop spreading that particular piece of disinformation 
(and I bet Vern does, too.)  DKIM will tell you that mail purporting to be 
from really is from, but it won't tell 
you that it's not your bank, it's some domain speculator in Edmonton.


More information about the DCC mailing list

Contact by mail or use the form.