DK-milter 0.2.0 supports the updated ("base-01") DomainKeys draft.
Section 3.1 of draft-delany-domainkeys-base-01.txt proposes DomainKeys
signing using the Sender: header instead of the From: header if there is a
valid From: and Sender: header.
For the following sample email:
From: "Accounts" <accounts@...>
To: "John Doe" <john@...>
Subject: Your Bank Account
Date: Fri, 02 Sep 2004 10:20:00 -0700 (PDT)
Please click on the following link to update your account details
the domain in the Sender: header (bank.example.com) will be used for
signing the email and the verification will be "good". The MUA will
display the From: header. To the casual user, this looks like that the
email came from accounts@...
"DomainKeys examines the From: domain to protect the user and deliver the
best possible user experience. Since most web and desktop mail clients only
show the From: header in their user interfaces, we think it should be the
primary way email is verified. If the user establishes their trust based on
the From: domain, then so should any system built to verify whether that
trust is warranted."
This change in the draft does not help to deliver the best possible user
experience. Quoting the draft:
"For the purposes of this document, authentication is seen from a user
perspective, and is intended to answer the question "who sent this
email?" where "who" is the email address the recipient sees and "this
email" is the content that the recipient sees."
The user sees the From: header and as such that header should be used for
authentication and not the Sender: header.