DKIM and email address proof-of-control

Lachlan Gunn lachlan at twopif.net
Tue Aug 2 13:07:14 CEST 2016 

> Does that mean you sent the email from the @gmail.com address, but
> because you happened to be logged in with the @twopif.net address
> Google took it upon themselves to change the from address? I wouldn't
> like that: it is not up to the email provider to choose which of my
> email addresses I expose to which contacts.

I mean that I connect to Google's SMTP server with Thunderbird using the
"lachlan at twopif.net" login details, but configure the account's email
address to be lachlan.gunn at gmail.com, so that From: and MAIL FROM are
both @gmail.

> Rejecting with a clear message indicating the reason makes more sense
> to me.

Yes, however I expect that they decided that it would generate too much
confusion if people who mis-spelt their email address slightly were
unable to send mail.

> Even if they have such measures in place, the account may have extra
> addresses or aliases configured to send messages (GMX, Gmail, Yahoo,
> Riesup all allow this in slightly differing forms). Presumably a
> signature from a provider that allows this would have lower value than
> one from a provider that does not, but higher valve than one from a
> provider who was not known to have anti-spoofing measures in place?

I'm not sure exactly what you mean, but I don't think the existence of
such aliases is a problem---unless I misunderstand, ultimately the
sender still controls the alias, and it is no different from any other
email address in that respect.

> In that case, what attacks involving reply-to are you wishing to
> protect against?

The main thing is to prevent things like putting request at roboca into the
to: field in a mass email and then bank on someone hitting reply-to-all,
or by putting it into Reply-To.

Checking the subject line seems fairly reasonable, and requiring an
email in response to one the CA---In-Reply-To is signed in my test
messages, you can use a signature as the message ID---ought to make
things more difficult for anyone but the CA.

Thanks,
Lachlan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160802/14308691/attachment-0001.sig>

More information about the Gnupg-users mailing list