DKIM becomes more official

John L johnl@iecc.com
Sun Oct 28 18:01:18 UTC 2007


> Curiously, in my test from gmail.com, the envelope sender and the
> `Sender' were gmail.com addresses, but the `From' was a local address.
> Gmail.com used DKIM to authenticate all of those headers.  I assume
> that means that they can't be forged.

Not really.  All you know is that they're unchanged from the way they were 
when gmail signed it.  You need some external knowledge about Gmail's 
practices to know whether they're real.

As it happens, when you add a non-gmail address to a Google account, they 
send a confirmation mail with a URL you have to click, so in the 
particular case of Gmail, you can be reasonably sure the address is real. 
In general, without specific info like that, you can't.

> I'd like to whitelist all e-mail from their domain that passes 
> validation, and reject everything else.  That would eliminate the 
> phishing messages that are so pervasive now.

I wish people would stop spreading that particular piece of disinformation 
(and I bet Vern does, too.)  DKIM will tell you that mail purporting to be 
from canadatrust.mobi really is from canadatrust.mobi, but it won't tell 
you that it's not your bank, it's some domain speculator in Edmonton.

R's,
John



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.