From: RW <rwmailli...@googlemail.com> >On Fri, 5 May 2017 17:45:37 +0000 >David Jones wrote:
>> From: RW <rwmailli...@googlemail.com> >> >> >On Fri, 5 May 2017 14:51:32 +0000 >> >David Jones wrote: >> >> >> >I know. I do not want to validate the envelope from with DKIM. I >> >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN >> >> >used in the envelopefrom. >> >> >> >> >So the only thing I want with the envelop from is to extract the >> >> >domain and test if the mail was DKIM signed (and valid) by that >> >> >domain. >> >> >> >> >This tells me the envelope from is not some random spoofed >> >> >address, but actually controlled by someone who handled the >> >> >e-mail before it arrived at our mta. >> >> >> >> This actually would be a very useful rule/logic to add to SA: >> >> >> >>https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/ >> >> >> >> >So what would be the point in running a separate DKIM test against >> >the envelope if you are looking for alignment. >> >> I don't think this would be a separate DKIM test necessarily. It >> should be a combination of SPF_PASS + DKIM_VALID_AU + the >> envelope-from matches the DKIM-signed domain. This is basically >> perfect DMARC alignment where the domain has "p=reject" and DMARC >> would pass meaning the domain was not spoofed. >Alignment of the two from address is needed in DMARC so that SPF can >match on the same domain that the MUA displays (if it even does). It >doesn't do anything for DKIM. Did you read that returnpath.com link above about DMARC passing if SPF or DKIM passes and are aligned? They know what they are doing and I have seen this to be true in my own inbound mail based on OpenDMARC headers. >I don't seen why anyone one would want a form of whitelisting where a >DKIM pass on a trusted domain would be ignored if there's no SPF >pass. Correct. This is why I only add envelope-from domains to my whitelist_auth list that is currently 2,595 entries.
