On 10/16/2024 11:13 AM, Brandon Long via mailop wrote:
he general theory is that a replay involves mail for a DKIM domain
coming from different sources/hops than it normally does. Having
spf/dkim both align
is usually a good indication that a message is not a replay,
ahh, that makes sense. thanks.
Seems like the same utility could be obtained by adding a header field
that indicates the sending IP Address and include it in the set signed
by DKIM.
Only authorized platforms can generate the signature and there's no need
to maintain a list with SPF.
Hmmm. While this carries the burden of requiring that the signer know
the IP address of the outbound, border SMTP client -- if it is not
itself -- I'm not immediately seeing a problem with doing this and it
seems pretty simple to add.
Receivers can then compare the signed IP Address with the one provided
by the network layer.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
