Doug,
The question of what qualifies as an Author Signature is a different
issue and we need to use the same definition in the multiple From
address case as in the single From address case. That is issue #1519,
and let's discuss it in the context of that issue.
I don't think that the specification should specify a limit on the
number of From address domains that should be checked, because RFC 2822
doesn't specify a limit. As a practical matter, some verifiers may
decide to impose their own limits, and I don't think that introduces a
problem with "interchange". SSP is really about giving additional
information to the verifier, and if they decide not to avail themselves
of all of the information available, that's up to them (as is the
decision whether they want to use SSP information at all).
-Jim
Douglas Otis wrote:
On Jan 21, 2008, at 10:57 AM, Jim Fenton wrote:
You're reading this a little out of context. This isn't about
whether the message is legal or not, it's for determining whether the
Sender address can be used as a "tie breaker"to select among multiple
From addresses to determine which domain should be used for an SSP
lookup.
I'm thinking that if we want to be thorough in handling this case
(and the fact that there have been ~110 messages on this thread,
despite the fact that it's an exceedingly rare corner case, seems to
suggest that we do) then SSP lookups should be performed on the
domain(s) of all address(es) in the From header field, excluding
those addresses for which there is a valid Author Signature.
Jim,
While RFC 4871 did not impose limits on the number of email-address
domains contained within the From header, it seems dangerous and
unlikely supported to suggest all email-addresses fitting within a
From header should be searched for SSP records. Imposing a limit
requires messages with too many email-addresses within the From header
to be considered "SSP non-compliant". Setting a limit would be
incumbent upon SSP to ensure interchange. There must be some level of
email-addresses that are considered compliant. (Of course, indicating
a policy is only established by the first email-address within the
From header avoids this problem.)
The statement "excluding those addresses for which there is a valid
Author Signature" needs to be rephrased. This really depends upon the
definition given "Author Signature" of course. To make this clear,
the statement would be-
excluding those addresses for which there is a valid
signature where the d= domain tag is at or above the
email-address's domain. Signatures using a g= restricted
key will be considered SSP non-compliant for "strict"
or "all" when not on behalf of an email-address within
the From header.
This clarification overcomes yet another corner case where an office
admin within the same domain sends a message on behalf of their
manager. This definition allows the signing domain to both indicate
they sign "all" mail, and accurately indicate which entity introduced
the message. The signature's domain is seen as valid for the From
email-address, while also being on-behalf-of the Sender email-address
within the same domain. The only exception needed would be for g=
restricted keys.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html