DKIM, as read by rfc4871, states to make address forgery more difficult besides protecting sender identity and integrity of the mail.
I have been searching for the details, which precise validation step prevents From:-header
spoofing, counting in the fact that Dave Rand and Doug Otis of Trend Micro argue that there's a weakness in DKIM when prepending a second From: header
. The opposite means that it's not possible with only one From:-Header
.
Please uncover my error in my reasoning:
- Assuming I am a spammer who has registered the domain
spammailer.com
- Because I'm the owner, I'm authorized to setup DKIM-records in DNS for domain
spammailer.com
. - Now I'm sending an email from my mailserver which has the private key to
accounting@ibm.com
:
Header:
Return-Path: <spammer@spammailer.com>
Received:...
Received:...
Date: Wed, 17 Oct 2018 15:11:08 +0000
From: virginia.rometty@ibm.com
To: <accounting@ibm.com>
Message-ID: <010001663008-25440000@spammailer.com>
Subject: pay rise of 5%
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spammailer.com;
s=bostonceltics; t=1519400838;
h=from:subject:date:message-id:to:mime-version:content-type:content-transfer-encoding;
bh=kpYel1IlDvqXEUc0SyIpXbMte3XpQOCXHl+zTyHQvGc=;
b=NEUyWUoeKEoKAYTY8g04o73j+wrYUcEGSq7uwpbsAGo0OzuuIBluEfG1MbGF/Tf6yxxJB4
gTDD3sqb19EsQxv39QsAwgddAz01Osw5LKU0MjLZpxw6NA8zLllJUsrNdNQAYSII9ip4xX
ImU7+KFOEF+gmxR5aseUt5H6JT/aOmhPE9xsSyg9wLf0Bikyy5Cgh+Ay7AHQLMZogbTi9W
dAPpZZcZs0pTwhcard6SaesypJ+xZNna+BA+C1vXrGDc+9stYZVi+Zufh6zlZo1E/sQSRL
jowB1mjv1vjINRY30aq0rh4dT8RHe38/PKFf8vQHOSOKvjIKv984UeOTIFIUHw==
As far as I understand, the verification process now does the following:
- getting the public key from the sender domain
d=spammailer.com+separator
- decrypting the DKIM signature with the spammer's public key which passes (I suppose!) because the mail is not altered in any way.
Now the recipient at IBM accounting recognizes that there's an email from the CEO which is displayed as the From:-address
in most MUAs.