hi Jim (and everyone)!
> I'm still missing a suggestion for what we use when the Sender header
> field does not match any of the addresses in the From. Do we then
> revert to First Author? All Authors?
The idea of checking SSP on up to N From: domains is the only suggestion
I've seen so far and I can't think of anything better.
So, if the SSP algorithm returns Suspicious for any one of the domains
found in From: then let that be the final SSP result (in fact, further
SSP checks could be skipped at this point). In other words, if even one
of the domains listed on the From: requires a verifiable signature and
that signature is NOT present then the message is Suspicious even if the
result of SSP for one or more of the other domains is non-Suspicious.
Would this work?
Arvel
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html