-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected] il.com>, Douglas Foster <[email protected]> writes
>Outbound gateways typically increase the perceived message authentication >state. This can occur: > >· Because the outbound gateway organization is included in the Mail >>From domain’s SPF records, or I don't see how you can tell that is the case except in special circumstances. >Authentication using login credentials should be >documented using the protocol data in the Received header field and using >an ARC Set with an AUTH=PASS term in the ARC-Authentication-Results header >field. assuming that is a SHOULD, is it appropriate for this document to mandate the use of an experimental protocol ? > Authentication using trusted IP should be verifiable by SPF, >when applied to the IP address in the Received field which documents >handoff from client organization to Outbound Gateway organization. That sentence implies that the use of many SPF macros is no longer to be endorsed (which is fine by me, but doubtless not what you intend) > For >similar reasons, DKIM signatures should be applied by the originating >organization and placed in the Trace fields. earlier you said that it was OK for an outgoing gateway to do that. I think you SHOULD make up your mind. > A DKIM signature added by >the Outbound Gateway organization has a lower trust value because it does >not prove that the handoff between client and gateway organizations was >authenticated. ... and you revisit it with a different point of view. I expect what you want to say is that if a gateway applies a DKIM signature on behalf of a client then it MUST assure itself that the mail is genuine. BTW I am not sure how you can tell who applied a DKIM signature or when. >Forwarding always causes loss of SPF authentication for purposes of >DMARC. nope ... some people (unwisely perhaps) have very widely cast SPF >Forwarding falls into two main groups: > >· Simple forwarders transmit a general mail stream to a single >alternate recipient. DKIM signatures are usually preserved, but not all >messages will have DKIM signatures. As a result, a significant portion of >the received mail stream will appear to be unauthenticated. > >· Mailing lists transmit accepted message to a list of >subscribers. The list typically adds content to the message subject, >message body, or both. Since it is a forwarder, SPF authentication is >lost. Because it changes the signed content, DKIM authentication is also >lost. Consequently, content-altering mailing list messages appear to lack >any authentication. "Alumni" forwarders send to single recipients, but many alter the message... also some mailing lists go out of their way not to break DKIM signatures. So there's four groups. >To promote favorable consideration, forwarders should apply >an ARC set to forwarded messages. again you have a SHOULD for an experimental protocol - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZzHuot2nQQHFxEViEQKEugCeJBFXm5DXHjC6ZKEk9ZBtR72fStIAn2xu D5Tx/iYz1zWD9T1nlvrJ7MGd =WPF5 -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
