Keith Moore wrote:
IIRC, an SSP check is done against the "Originator Address". This is
either the rfc2822.from or rfc2822.sender.
That's not correct. It's only From.
Look, it's not acceptable for DKIM to change the semantics of From.
From can contain multiple addresses, From can contain an address other
than that of the Originator, and if a Sender field is present From has
no implied relationship with the party that originated the message.
These semantics are well-established and have been in use for around 25
years.
SSP as currently written does use Sender: (as a tie-breaker) in the
event that From: has multiple addresses. An alternative way to do this
might be to do an SSP for each address in the From: field that doesn't
have a valid signature (modulo disagreement on this point) and use the
most restrictive policy found.
If you want to define a way for DKIM to say "the party who sent this
message has permission to make statements on behalf of these From
addresses" that's all well and good. What's not appropriate is to
define DKIM in such a way as to wire in an assumption that From is
always the party who originated the message.
We need to balance here between the definitions in specifications and
how ordinary people look at email. SSP is based on From: because that's
almost always what people see and if you send someone a message, and ask
who it's from, they will almost always point to it. If the recipient
thinks that From is the party who originated the message, that's
significant.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org