On 19 Mar 2025, at 1:30, Michael Thomas wrote: > On 3/5/25 9:14 PM, Murray S. Kucherawy wrote: >> On Wed, Mar 5, 2025 at 1:08 PM Michael Thomas <m...@mtcc.com> wrote: >> >> I've been reading the draft mentioned in the charter re: replay and >> rcpt-to and don't understand why that changes anything wrt replay. If >> there is a message that a spammer has discovered passes a recipient's >> spam filter, what difference does it make if it's a single smtp >> transaction or multiple transactions? >> >> >> If it's a single recipient message, you can include the recipient in the >> signed part of the message. > > You could if there were two -- or n for that matter. There may be practical > limits to including a big list of rcpt-to's it into the DKIM-Signature, but > that presupposes that it needs to be encoded in the signature block which > doesn't have to be the case if we don't want to. That is, we could invent a > new trace header called : > > Envelope-Information: mf=xxx; rt=yyy > > and just sign that header the usual way.
The problem with this is that the envelope information may include recipients that are bcc’ed on the message. That’s the reason that the Received trace header field usually has information about the envelope-to address only if there is a single address there. If there are multiple envelope-to addresses that is usually left out. -Jim _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
