Charles Lindsey wrote:
On Wed, 03 Jun 2009 17:13:02 +0100, Murray S. Kucherawy
<msk(_at_)cloudmark(_dot_)com> wrote:
WTF is the point of inserting an A-R header if you are not willing to
take responsibility for what you have done by signing it?
And why should anyone else believe your A-R if you have omitted that
elementary step?
Because, if you've followed the RFC defining it, the border MTA has
removed any others present that could possibly be misinterpreted by
internal agents.
Yes, but that is the MTA at MY border. I would expect the assessor at MY
border to have indicated some degree of suspicion if the A_R header it was
about to remove (before substituting its own) was not included in the
signature that accompanied it.
The cases, IMO, of when a ar-header is useful from a foreign domain
are vanishingly small, so removing it is just a matter of good hygiene.
If capturing its essence is important, I suppose that we'll first see
border mta software using it for something. To my knowledge, nobody is.
(foreign a-r that is).
You're not required to sign them, but it's not a bad idea.
Then why are people on this list not trying to enocourage that good
practice? Indeed, why are they so vociferously trying to DIScourage it?
Because it's a marginal case. At Cisco, the only thing that I'm aware*
that we were using a-r for was generating gross statistics, where what
even a trusted foreign verifier -- which we had none -- were useless for
what we were using it for. Maybe we were outliers, but I doubt it.
[*] yes a couple of us were using ar to color messages in our muas, but
we were a pretty self-selected, self-interested population
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html