On 5 Jan 2025, at 19:07, Murray S. Kucherawy wrote: > On Sat, Dec 28, 2024 at 6:31 PM Bron Gondwana <brong= > 40fastmailteam....@dmarc.ietf.org> wrote: > >> >> - The SMTP RCPT TO address might not be present in the signed header >> fields of an email, meaning that the same message can be sent to >> arbitrarily many recipients, and those recipients can not tell if the >> signer intended to them as recipients. >> >> > Am I poking a hornet's nest here, or is it safe to state that this is the > commonly understood definition of "DKIM replay"? > > As was brought up elsewhere, do we need to be clear about whether this is > expected to be an extension of existing DKIM or ultimately a replacement of > it? Or are we keeping our options open, which is what the current text > seems to be doing?
I have recently received a number of these replays in my personal email, so I think I understand the problem better. At the risk of getting too far into the weeds: The RCPT TO address isn’t available to many DKIM implementations, so including it in the signature would be a breaking change. But DKIMbis could define an additional signature field, similar to the b= field but including the RCPT TO address. This would be ignored by current DKIM implementations but could be used by DKIMbis implementations, with the additional benefit of making it clear that it is the RCPT TO address, and not anything else, that has changed. That would be a non-breaking change. Assuming the other goals of DKIMbis can be accomplished in similar ways, I consider the non-breaking approach preferable to defining a whole new header field. -Jim _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
