Re: Incoming SMTP in the year 2017 and absence of DKIM

[Grant Taylor via NANOG <nanog () nanog org>]

On 11/29/2017 11:35 AM, Brian Kantor wrote:
> As I see it, the problem isn't with DKIM,

I don't think DKIM is (the source of) /the/ problem per say.  Rather I 
think it's a complication of other things (DMARC) that interact with DKIM.

> it's with the 
> implementation of DMARC and other such filters.  Almost all 
> of them TEST THE WRONG FROM ADDRESS.  They compare the Author's 
> address (the header From: line) instead of the Sender's address, 
> (the SMTP Mail From: transaction or Sender: header line).

I believe it's more than just the implementation.  The DMARC 
specification specifically calls out the RFC 5322 From: header.

Further, RFC 7489, Appendix A, § 3 speaks directly to this.

> If the filter checked the Sender address of mail instead of the 
> Author address, mailing lists wouldn't be broken!

Perhaps.  However I fear we would be facing an entirely new type of spam 
that used spoofed From: headers and perfectly legitimate Sender: headers 
(that also match the RFC 5321 SMTP FROM address.)  See RFC 7489 § A.3.1



--
Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature