> This means you can just copy a server's signature from a piece of mail it signed onto another piece of mail that it didn't send, and it will still look like it's been signed by the server and coming from that server.

DKIM signs both body and select headers. Unless those match, the signature verification will fail. TFA is about a replay attack.

▲

logicallee 2 days ago | parent [-]

Edit: thanks for the clarification.

	▲	mzajc 2 days ago \| parent [-]
		DKIM doesn't decide which headers are signed, the mail server does (in the h= field). Gmail signs both To and From[0], but these don't control the 'real' recipient - the RCPT TO command in SMTP does. The recipient would presumably show wrong in the mail client, but since mailing lists and aliases are a thing, this is not suspicious by default. [0] h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to;