Jim Fenton wrote:
If there is consensus that this indeed isn't clear, we could easily add
verbiage to SSP stating that domains publishing SSP records other than
"unknown" MUST additionally ensure that they only sign messages
purporting to come from themselves when the address in the From: header
field is valid. That way, we're putting the additional burden on those
who publish SSP records but are not trying to modify the meaning of RFC
4871
I'd wonder how "purporting" and "valid" above would be
strictly defined.
And for any such pair of definitions, I'd then wonder how
I'd check the "MUST" by looking at someone's code.
Do we really want to go there in SSP? (Maybe guidance in
the overview would be better if we want to say anything
about this.)
S.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html