On Mar 20, 2008, at 9:06 PM, Scott Kitterman wrote:
On Thu, 20 Mar 2008 23:22:24 -0400 Sandy Wills <sandy(_at_)WEIJax(_dot_)com>
wrote:
And Sender is quite often (usually AFAIK) not displayed to the end
user. Once we're in the land of largely invisible header fields,
there of no ability to reliably sort out mail that is spoofed from a
particular domain. Why not include resent-* too.
For this statement to be correct, it might depend on being based upon
the distribution of MUAs and not the number of recipients. Many
recipients will see the From header as a composite of Sender and From
headers when the Sender header is present.
Unless the protocol is tied to From, it's essentially valueless from
my perspective. There is not a solution that is both pretty and
useful. Pick one.
A signature must include the From header within its hash. When the
signature has been created by the domain seen in the From header email-
address, but perhaps on behalf of a different identity, such as the
identity within the Sender header (both sharing the same domain), the
message should be considered complaint with the From (author's)
signing _domain's_ policies. An exception should be made when a key
restricts the local-part of an email-address and this identity is not
within the From header.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html