On Mon, Sep 06, 2004 at 03:20:35PM +0100,
Graham Murray <graham(_at_)webwayone(_dot_)co(_dot_)uk> wrote
a message of 18 lines which said:
My suggestion was that the MTA should insert a new header (for the
MUA and human) to show the PRA it calculated and
authenticated. Also, to avoid spoofing, that it also removes any
pre-existing instances of this new header so that the user will only
see the one inserted by the MTA/MDA from which the MUA fetched the
mail. This being similar behaviour to SpamAssassin which removes any
pre-existing "X-Spam-*" headers before adding its own.
Pre-existing "X-Spam-*" headers are indeed useless (or dangerous since
they can be forged) but, since SenderID authenticates a channel, not
the end-to-end message, pre-existing "Responsible-From" (or whatever
the name of the PRA header is) are still useful. The situation of
these PRA headers, to me, is closer from the "Received" headers, where
nobody objects there are several instances of them (and sometimes some
forged ones).