DKIM and email address proof-of-control

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Tue Aug 2 11:37:53 CEST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 2 August 2016 at 2:32:17 AM, in
<mid:31f732aa-defe-23a0-9e66-15fa057d50fd at twopif.net>, Lachlan Gunn
wrote:



> 2. With Gmail at least, the From seems to be
> replaced with the account
> that I log in from, yielding the following
> (lachlan at twopif.net is a
> Google Apps address):

>     From: Lachlan Gunn <lachlan at twopif.net>
>     X-Google-Original-From: Lachlan Gunn
> <lachlan.gunn at gmail.com>


Does that mean you sent the email from the @gmail.com address, but
because you happened to be logged in with the @twopif.net address
Google took it upon themselves to change the from address? I wouldn't
like that: it is not up to the email provider to choose which of my
email addresses I expose to which contacts.



> I would have thought that any sane MTA would do
> either this or outright
> reject such an email, but maybe I'm overoptimistic.

Rejecting with a clear message indicating the reason makes more sense
to me.



> This is why I meant
> that whitelisting might be a good idea---if it is
> known that they have
> anti-spoofing measures in place then their signature
> has value, if not
> then no.

Even if they have such measures in place, the account may have extra
addresses or aliases configured to send messages (GMX, Gmail, Yahoo,
Riesup all allow this in slightly differing forms). Presumably a
signature from a provider that allows this would have lower value than
one from a provider that does not, but higher valve than one from a
provider who was not known to have anti-spoofing measures in place?



> I guess I should clarify this to mean that the
> subject would have to be
> "VALIDATE-EMAIL-F3E3..." without any other text
> around it.  Dashes are
> there so that misleading spacing cannot be
> canonicalised away.  Subject
> lines wouldn't ever be changed and expected to
> remain valid, because the
> process would be "Send a blank email with the
> subject line
> "VALIDATE-EMAIL-<your fingerprint>".

In that case, what attacks involving reply-to are you wishing to
protect against?



- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

A nod is as good as a wink to a blind bat!
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJXoGnyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBRcH/33cCcYFBvBYKcvqAkDHjyzp
EWkNZ+LDRDo6Fj8CXkvbFOyvd7f48OMPe2GDBeuS5wCIC2NmnzrdjkYs5O7npp6X
YY7H9tbM4E1dq6SW0YHJyQCHphUTZZHMIsWbaumlKTCdPDvSzLeL75oOTO6L9aoI
PFAyMNUT56pFVQmA+lMO1kTsTi+B9Dl8ZnKULczpdnmqukqAhmxEflBjhWDNm1JM
jlkPQ4kwaDh6zrVo7/Id94wIaEEagGG1cTFbe5rn0DhDtJh0wVvv8bH7wIW3jbTs
bQCp3xsfGtqMds7tJ89LL3Vo6uCwIf+ovJ6qApW3gdp9P6+kdOFDl2mO0EtdaxuI
vgQBFgoAZgUCV6Bp8l8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45F4kAP95nRhcsrRx1oeLbswMcoUanhFO
KjiyY43lnLA0jyHf0wD/egCqkI+8woiZc3UssntGQQw8jxPPixoVbZhTGOjNUw8=
=R+Vw
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list