DKIM and email address proof-of-control
2014-667rhzu3dc-lists-groups at riseup.net
Tue Aug 2 16:05:53 CEST 2016
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday 2 August 2016 at 12:07:14 PM, in
<mid:b9a0c055-9b55-ff2d-1cdf-a61407235f46 at twopif.net>, Lachlan Gunn
> I mean that I connect to Google's SMTP server with
> Thunderbird using the
> "lachlan at twopif.net" login details, but configure
> the account's email
> address to be lachlan.gunn at gmail.com, so that From:
> and MAIL FROM are
> both @gmail.
And, from your previous post, Google takes it upon themselves to
change the "From:" header to "Lachlan Gunn <lachlan at twopif.net>" and
insert a new "X-Google-Original-From:" header containing the detail
from your original "From:" header. So Google chooses to expose two of
your email addresses to the recipient instead of just the one you used
for that message. To me that is not good. But to bring it back
on-topic, would a DKIM signature on such a message be for the
gmail.com domain or the twopif.net domain?
> I'm not sure exactly what you mean, but I don't
> think the existence of
> such aliases is a problem---unless I misunderstand,
> ultimately the
> sender still controls the alias, and it is no
> different from any other
> email address in that respect.
You're right. The DKIM signature says that the email was sent from
_an_ authorised account at that domaim but not _which_ authorised
account, so I guess it doesn't matter if the email address is an
> The main thing is to prevent things like putting
> request at roboca into the
> to: field in a mass email and then bank on someone
> hitting reply-to-all,
> or by putting it into Reply-To.
Is this a Denial of Service attack, rather than an attempt to get
roboca to certify something it shouldn't?
> Checking the subject line seems fairly reasonable,
> and requiring an
> email in response to one the CA---In-Reply-To is
> signed in my test
> messages, you can use a signature as the message
> ID---ought to make
> things more difficult for anyone but the CA.
I thought the message-ID had to end in a fully qualified domain name.
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
Do what you can, with what you have, where you are.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users