Ned Freed wrote:
I would really love it if we could get past the meta-discussion of "is
the multiple From: case important?" to the proposals that have been made
to address the issue. These include:
1. Perform SSP checks on the domains of all From addresses in the
message, with the exception of addresses having valid Author
Signatures. If any of the checks result in a Non-Compliant (formerly
Suspicious) result, then the message is considered Non-Compliant.
or
2. In the case of multiple From: addresses in the message, and the
domain part of one of the addresses matches the domain part of the
Sender address, then perform an SSP check on that address unless it has
a valid Author Signature. If the Sender header field does not match the
domain of one of the from address or is missing [violating 2822], revert
to alternative #1.
This is an interesting, even novel approach. I'm still trying to
evaluate it. One question I have is how it would interact with what
headers are covered by the author signature. In particular, does the
Sender: field in this case have to be covered by the signature?
It might need to be, but I have a bigger concern about alternative 2.
The Sender address and From address(es) have different meanings. Just
because a particular author happens to be the sender of the message,
should that affect which domains' signing policies apply? I can't see
why it should, which is why I favor alternative 1 given that we're not
going to do something arbitrary in the multiple-From case.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html