Douglas Otis wrote:
The DKIM signature however indicates the AdmD providing
initial access and not just the last hop.
Your X + Z example sounded like Z getting X's newsletters
directly (MON X to MRN Z). For that case reducing it to
the one critical hop where one of X's MTAs determined one
of Z's MXs is an obvious solution, they should definitely
use SPF or CSV or similar if they want to know "does that
MTA claiming to be X really belong to X ?"
But if you have MRN Z behind any mediator(s) Z' we get the
known cases 1123 5.3.6(a) and (b). Plus Hector's variant,
where mediator Z' replaces the signature of X by its own.
For the latter arrangements between X and Z cannot help,
Z has to trust Z' and maybe arrange something with Z'.
Dito: X would have to arrange something with Z'. That
case isn't interesting for DKIM, it's much more straight
forward to use SPF or CSV or similar for neighbours.
For _unmodified_ mails Z will "see" X's signature even if
it's behind Z'. That sounds a bit like a "Web of trust"
reduced to AdMDs, the "society of wannabe-legit mailers":
Each MRN (Z) deciding which MONs (X) are IN or OUT from
its POV. Okay, could work, no obvious problems so far.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org