Some email service providers support the ability for their users
to specify an alternate From address from the address supplied
by the provider. I know Yahoo supports this for Mail Plus users
and Gmail now supports it also.
The problem is the email service provider may not be able to DKIM sign
messages sent out by such users since the domain in the rfc2822.From
does not match the sending domain.
Gmail does the following when using an alternate From:
From: user(_at_)example(_dot_)com
Sender: usersgmailname(_at_)gmail(_dot_)com
Now, if Gmail is able to bind a DKIM signature to Sender, then
it does not have worry about the SSP policy of example.com. If
it cannot, Gmail is discouraged to sign such messages since
signing them may reduce the chance the message gets delivered.
If example.com has an exclusive always-sign, non-3rd-party signing
policy, then the above user cannot do something like the above since
any DKIM verifier will fail such messages, regardless of Gmail's
signing policies.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org