On Mon, Jan 27, 2025 at 1:14 PM Michael Thomas <m...@mtcc.com> wrote:
> >> which you can't do with l=. > > Something doesn't compute here. Back when the concern around the L tag > > hit the public consciousness in May 2024, I observed a fair amount of > > mail hitting my spamtrap network with the L tag set up in a way where > > I was able to grab messages and modify the body to change it to add > > "evil" links just fine, and then inject the message, receive it, and > > it passes DKIM. So either I don't understand, or you're wrong about > > that. L was implemented in a way that didn't "just allow appending > > content," it also effectively allows modifying content beyond byte X > > with no corresponding failure in the DKIM signature checks. > > The only way that would work is if the originator did something like > l=0, which hopefully nobody does. If the l= contains the entire body as > sent by the originator you wouldn't be able to do that. Yep. In what I've observed, L=1. I'm glad you now agree that it's possible! > That said, the complaints (overblown imo) about l= go back 20 years. > It's hardly a new argument, and anything the supersedes it will have the > same considerations. "Hardly new" doesn't seem to be a suitable reason to leave it be. "Anything new will have the same problem" is a heck of an assumption, and not one I agree with. Cheers, Al Iverson -- Al Iverson // 312-725-0130 // Chicago http://www.spamresource.com // Deliverability http://www.aliverson.com // All about me https://xnnd.com/calendar // Book my calendar _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
