On 23 Jun 2013, John R. Levine wrote:
But first you might want to look at some of the signed bounce address
proposals like this one, and consider why nobody adopted them.
[Link to SES]
What I'm asking for is nothing like SES. I want the signature to be
based on the envelope MAIL FROM:, but it is still the body that gets
signed. No VERPing is called for.
My protocol would have almost the same mailserver behavior as ADSP,
except that where ADSP only pays attention to signatures where "d="
matches the right hand side of the RFC822 From:, my "EDSP" would only pay
attention to signatures where the "d=" matches the right hand side of the
RFC821 MAIL FROM:.
This means that someone can publish the strictest possible EDSP
without causing mailing list false positives. Mailing lists take
ownership of the MAIL FROM:, hence only an EDSP set by the list itself
will apply, and the original poster's EDSP will be correctly ignored.
Just like in SPF.
Of course, since the MAIL FROM: is usually not visible without pressing a
"show all headers" button, this would be more about leaving a clearer
audit trail than actually foiling phishes.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
NOTE WELL: This list operates according to