Charles Lindsey:
SSP needs an identity to key off of to lookup a policy. The agreed
identity
for that is 2822.From for several reasons:
But that is wholly back to front. The SSP policy to look up initially
should be that of the domain making the signature.
...
If you have a signature, then all I am suggesting is that you first look
at the SSP of a signer to see if that provides a satisfactory explanation.
The bad guys can use SSP too. They will be more than happy to
provide you with every possible satisfactory explanation that you're
willing to believe.
For sure, you now know where the mail DID come from.
Nothing that DKIM-BASE didn't already tell you. In my opinion,
making decisions based on the signer's SSP instead of or before
the 2822.From SSP is the worst possible application of this
technology. It's like allowing the idiots to run the asylum.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html