he he... nothing slips by Tony.
--
Arvel
Tony Hansen wrote:
In section 9.2, an A-R is shown that does not do any authentication.
Therefore, there is no verified identity and the headerspec
header(_dot_)from=sender(_at_)example(_dot_)com should not be shown. It hasn't
been verified.
In sections 9.3, it shows an MTA adding an A-R header based on auth. I'm
sorry, but this is an impossible case. Authentication is done when the
message is submitted, not by the receiving MTA. These will almost
*never* be the same server. Also, it is specified with an smtp.mail
headerspec, which is wrong for auth, which should be using smtp.auth
instead of smtp.mail.
In section 9.4, an example is shown that combines auth=pass with
spf=pass. I'm sorry, but this is an impossible case. Authentication is
done when the message is submitted, whereas spf is checked by the
receiving MTA. These will almost *never* be the same server. Also, they
are combined under the smtp.mail headerspec, which is wrong for auth,
which should be smtp.auth instead of smtp.mail.
In section 9.5, an example is shown that combines a sender-id check with
a dkim check, both under a headerspec of
header(_dot_)from=sender(_at_)example(_dot_)com(_dot_)
This is wrong for several reasons. The sender-id check can certainly be
used that headerspec. But dkim does not 1) provide an identity from the
From: header, and 2) does not provide for user id validation. And again,
an auth=pass and an spf=fail are combined together, which is wrong as
was discussed in section 9.4.
Tony Hansen
tony(_at_)att(_dot_)com
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html