Hector Santos wrote:
Subject: Check your account
Date: Sun, 27 Aug 2006 05:04:42 -0700
From: accounts(_at_)bank(_dot_)com
To: PoorUser(_at_)ISP(_dot_)COM
Sender: support(_at_)asp(_dot_)com
DKIM-Signature: d=bank.com # invalid 1st party
DKIM-Signature: d=asp.com... # valid 3rd party
[...]
According to DKIM-BASE, the valid 3PS signature would make
this an valid DKIM message, even if the 1st party signature
failed.
As far as asp.com is concerned it is valid, no hops between you
and them manipulated the mail. Maybe one of their users got a
legit mail from bank.com and forwarded it to his mailbox behind
your MX - but then I'd expect to see a Resent-From or similar.
So from your POV it's invalid if the bank.com SSP says so, and
if you didn't forget to mention an important header field. But
your user might have arranged his forwarding via a munger, then
it's the known SPF problem.
it is the unrestricted vs. restricted 3rd party signatures
that we mostly differ at. Atleast that is how I see where
the disagreement lies.
It can be both correct: Let's take a realistic example, GMail
starts to offer forwarding, but adds some ads plus their own
signature, destroying the signature of bank.com. If we have
a couple of "MUST reject" and implementations actually doing
this they might give up. Something has to give, bank.com, the
munger, the verifier, or the user.
With mail I expect the worst, the crap is dumped with a big
red "fishy" icon into the mailbox of the unhappy user. The
user will delete it unread, bank.com will give up its SSP,
the verifier gives up to use DKIM... tell me why I'm wrong.
Frank
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html