On 3/10/23 2:57 PM, Jim Fenton wrote:
On Mar 9, 2023 at 15:55:20 MST, Michael Thomas <m...@mtcc.com> wrote:
On 3/7/23 2:46 PM, Jim Fenton wrote:
Section 3.4:
I would always expect an inbound filtering service to do SPF/DKIM
checks and apply an Authentication-Results header field with the
result. Are there any that don’t?
I don't think we should count on Auth-res being there or not. As I
mentioned previously, there is a wealth of possible meta information
produced in the act of verification that is not necessarily
transported by the Auth-res header. Frankly, I'm not sure why Auth-res
needs to be brought up at all -- by the time it is applied, it has
already fallen into the black box of the receiver of which we know
little about.
The inbound filtering service is acting on behalf of a recipient
domain, so I expect that it would have some way to signaling any
authentication information that domain might need that it interferes
with (such as the sending IP address) by virtue of receiving the
message on their behalf. Authentication-results is one way that is
often done, but perhaps I was being too specific in citing it.
I'm thinking of it the other way around. That the signature evaluation
is done but then delivered to filters farther down the pipe. In the case
you're talking about, Auth-Res is essentially just informational which
is fine because that is pretty much what it is. For the replay problem,
I suspect you need a lot more information to make the preponderance of
evidence decision that spam filters live and die on.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
