----- "Dave CROCKER" <dhc(_at_)dcrocker(_dot_)net> wrote:
Michael Adkins wrote:
What is the basis for requiring it to be external.
Where the signer wanted reports about the message to go at the time the
message was sent is not relevant. Where the signer wants the reports to
go at the time the report is generated is relevant. It is common for
there to be a week or more delta between sending the message and a user
submitting a report. There is many a slip between cup and lip.
Oh.
Interesting point.
Anyone disagree with it? If so, how and why?
Michael point is correct
The presence of a header field that is signed does not guarantee that it
was placed there by the signer, merely that it was present when the
message was signed. It therefore does not provide a mechanism for
verifying that the requested destination address is authoritative for
the domain.
Oops. Right. I keep raising the same point about whether contents are
validated
by DKIM. Sigh.
So, there's a Pandora's box that this raises, which is how to use DKIM in a
way
that has the semantics of claiming that bits of contents are in fact valid?
I thought about putting the "I want ARF reports" information in the email or in
the DNS.
If it is solely in the DNS, then for every DKIM message, you have to query the
DNS, to check if the signing domain wants ARF reports. I suspect most will not
want them, or know what's that. This process may commit uneccessary resources.
I feel important to state in the email that the signer wants an ARF report, and
that the DNS could be used to verify that statment.
On privacy issues, some ARF processors strip the report from any potential user
identification, To: Message ID, email in the content etc...
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html