On 2022-11-09 at 06:47:55 UTC-0500 (Wed, 09 Nov 2022 11:47:55 +0000)
MRob via mailop <mro...@insiberia.net>
is rumored to have said:
On 2022-11-09 08:40, Slavko via mailop wrote:
Dňa 9. 11. o 0:34 MRob via mailop napísal(a):
... But if microsoft agree to DKIM-sign using envelope-from
(**signature including the FROM header**) shouldnt that mean it is
seeing the headers and can of course validate FROM header? For me
that show extra proof microsoft allowing free-form uncheked spoofing
DKIM doesn't validates any of signed header(s). It only digitaly
signs
them to receiver can verify that they wasn't modified on transport
(from signer to receiver). Nothing more, nothing less.
Not questioning about DKIM. The point is microsoft has FROM header in
its hand so it *can* easily do validation to the user account to
disallow spoof.
Not so much.
If I send mail via an MS service and put in a (working) address in my
own domain in the From header. How is Microsoft supposed to "validate"
that?
What they'd need to do in that case is to have alternative address
registration and confirmation at a per-user granularity. Users hate
that.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
