DKIM and email address proof-of-control

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Tue Aug 2 16:05:53 CEST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Tuesday 2 August 2016 at 12:07:14 PM, in
<mid:b9a0c055-9b55-ff2d-1cdf-a61407235f46 at twopif.net>, Lachlan Gunn
wrote:


> I mean that I connect to Google's SMTP server with
> Thunderbird using the
> "lachlan at twopif.net" login details, but configure
> the account's email
> address to be lachlan.gunn at gmail.com, so that From:
> and MAIL FROM are
> both @gmail.

And, from your previous post, Google takes it upon themselves to
change the "From:" header to "Lachlan Gunn <lachlan at twopif.net>" and
insert a new "X-Google-Original-From:" header containing the detail
from your original "From:" header. So Google chooses to expose two of
your email addresses to the recipient instead of just the one you used
for that message. To me that is not good. But to bring it back
on-topic, would a DKIM signature on such a message be for the
gmail.com domain or the twopif.net domain?



> I'm not sure exactly what you mean, but I don't
> think the existence of
> such aliases is a problem---unless I misunderstand,
> ultimately the
> sender still controls the alias, and it is no
> different from any other
> email address in that respect.

You're right. The DKIM signature says that the email was sent from
_an_ authorised account at that domaim but not _which_ authorised
account, so I guess it doesn't matter if the email address is an
alias.



> The main thing is to prevent things like putting
> request at roboca into the
> to: field in a mass email and then bank on someone
> hitting reply-to-all,
> or by putting it into Reply-To.

Is this a Denial of Service attack, rather than an attempt to get
roboca to certify something it shouldn't?



> Checking the subject line seems fairly reasonable,
> and requiring an
> email in response to one the CA---In-Reply-To is
> signed in my test
> messages, you can use a signature as the message
> ID---ought to make
> things more difficult for anyone but the CA.

I thought the message-ID had to end in a fully qualified domain name.


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Do what you can, with what you have, where you are.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJXoKjFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwFl0IAL1HHiElzNQi2VuxAxlycvGE
eJ8vO3MNoPAXpY7hNByUU9X2TSPk1hmip2JM3Jv3MeZuxklFQceMVcCmcqTl52iD
/mWm6jXooMZMJdbsl4yE/AEhd4vlioXPIzmvRZ8JIHXnZ221qdpRZkwQoyRvWTmj
fmIZu26d5ghY0dsOOQMD5vkCLR120dYpDj2N6fZvV9jZ/UqfbHGf8IGkM1iYashL
rYgYkN3ngyw45hN5XL0VzVeRiqUMCbzjom6414p49Jw6KaBHoZzPOMb0DGEEbhE0
S/EyoDiCazhhe9ABlUE4tEfdLiVba0/K6roJcalraac3g3UL92wt2WBzel8L11WI
vgQBFgoAZgUCV6Co0F8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45ET0AQCBbxecjM2YUHpOjRwNKQVHiKn7
khgG1DB6CRhyPwYq4AEA1vz7ZwGnh/5ekfdBDxUTY/CZjO/wtEFGhP1OTRI/wwY=
=xYP5
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list