Franck Martin wrote:
I have run a series of tests, where I sign a message (sent by me) but with only
the Return-path containing my domain (DKIM does not sign the return-path as
recommended in the spec).
I used the DKIM reflectors on www.dkim.org
and the assessment I got was: neutral (none of the signed field contain the
domain of the signer).
like if it is wrong.
I think it should be a pass. I fear that many people that verify DKIM make the
same mistake.
Note that this not about DKIM but about SSP/ADSP and Authentication-Results.
I believe that the SSP/ADSP result should be neutral, but that the DKIM
result is "pass". A lot of the reflectors haven't been updated for quite a
while, and the earlier drafts of Auth-Res didn't make a distinction between
DKIM and SSP/ADSP. So, true to form, differing implementations did differing
things in the face of the ambiguity.
I'm thinking of adding an X-header that will contain my domain and sign it via
DKIM and see if the reflectors are happier.
I _think_ that my reflector does the right thing in that it separates out the
dkim results from the ssp results, but I'm pretty sure that it's out of date
wrt both the new auth-res draft and the adsp draft.
In either case, an X-header isn't going to change anything. The ADSP part is
always keyed of of the real live From address.
Mike
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg