Incoming SMTP in the year 2017 and absence of DKIM

Grant Taylor gtaylor at tnetconsulting.net
Wed Nov 29 21:27:28 CST 2017


On 11/29/2017 11:35 AM, Brian Kantor wrote:
> As I see it, the problem isn't with DKIM,

I don't think DKIM is (the source of) /the/ problem per say.  Rather I 
think it's a complication of other things (DMARC) that interact with DKIM.

> it's with the 
> implementation of DMARC and other such filters.  Almost all 
> of them TEST THE WRONG FROM ADDRESS.  They compare the Author's 
> address (the header From: line) instead of the Sender's address, 
> (the SMTP Mail From: transaction or Sender: header line).

I believe it's more than just the implementation.  The DMARC 
specification specifically calls out the RFC 5322 From: header.

Further, RFC 7489, Appendix A, § 3 speaks directly to this.

> If the filter checked the Sender address of mail instead of the 
> Author address, mailing lists wouldn't be broken!

Perhaps.  However I fear we would be facing an entirely new type of spam 
that used spoofed From: headers and perfectly legitimate Sender: headers 
(that also match the RFC 5321 SMTP FROM address.)  See RFC 7489 § A.3.1



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20171129/20914226/attachment.bin>


More information about the NANOG mailing list