Arvel Hathcock wrote:
hi Jim (and everyone)!
> I'm still missing a suggestion for what we use when the Sender header
> field does not match any of the addresses in the From. Do we then
> revert to First Author? All Authors?
The idea of checking SSP on up to N From: domains is the only
suggestion I've seen so far and I can't think of anything better.
So, if the SSP algorithm returns Suspicious for any one of the domains
found in From: then let that be the final SSP result (in fact, further
SSP checks could be skipped at this point). In other words, if even
one of the domains listed on the From: requires a verifiable signature
and that signature is NOT present then the message is Suspicious even
if the result of SSP for one or more of the other domains is
non-Suspicious.
Would this work?
It could.
Let me summarize what I think we have consensus on (chairs, please
correct me if I'm incorrect because this is your call):
If a message has multiple From addresses, and the Sender address matches
one of the From addresses, then the SSP of the Sender address domain is
queried. (change from the first From address in the current draft)
What we have left to answer:
If a message has multiple From addresses, and the Sender address does
not match one of the From addresses, then I have seen three
possibilities proposed:
1. Use the domain of the first From address
2. Use the domain of the Sender address
3. Use the domains of all From addresses, and if the message is
Suspicious (SSP non-compliant) according to the SSP of any of the From
address domains, the message is considered Suspicious (SSP non-compliant).
Note that when I say "Sender address matches..." that means the entire
addr-spec of the address (including the local-part, but not the
display-name). If you think it should be something else (such as just
the domain part) that should be compared, please say so now.
Arvel's suggestion above is #3. I believe Hector earlier favored #2.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html