Michael Thomas wrote:
I think we'd do better to just not conflate both of these
things. There are signers that are willing to assert "this
passed through me, for whatever that's worth", and "this
passed through me, and I have a relationship with one or more
of the outside addresses visible". The first is, essentially,
a signed received header. The second provides the originating
domain a way to provide some amount of comfort to the
receiver that it's that domain sending the mail rather than
some random forger. They solve two different problems, IMO,
and a domain may well be willing to provide the first, but
not the second.
Is the first scenario one that DKIM is intended to support?
My understanding is that a signing party is vouching for the message. This
means that it is providing an assurance that the message contents, including
originating address fields, are authorised. If the signing party is
unwilling or unable to provide this assurance, then they should not apply a
signature. The receiving party can place a value on this assurance
depending on a variety of factors (relationship to originating address,
reputation, etc).
--
James
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>