Mostly it looks good, but I have a few questions:
An MTA adding this header in either form MUST use its own hostname
only. It MUST be a fully-qualified domain name.
How come? In a setup where there is a farm of equivalent MTAs, I
don't see the advantage of having it say in-23.atl.mail.earthlink.net
rather than mail.earthlink.net or just earthlink.net. It's important
to know who added the header, but I don't care which of an ISP's 200
MTAs did it.
MTAs that are relaying mail rather than delivering it MAY
perform sender authentication or even take actions based on the
results found, but MUST NOT add a "Authentication-Results"
header if relaying rather than rejecting or discarding at the
gateway.
Again, how come? I have a bunch of forwarding addresses like
uucp(_at_)computer(_dot_)org, I already special case the mail that comes through
the forwards, and if there were an authentication results header, I'd
use it.
I think it would be better to say that the header should usually be
added by the MX for an address, since that's the only point where you
can check path authentication like SPF and Sender-ID. For content
authentication like DK and DKIM, you can do it anywhere you want, so I
don't see any reason to tell people not to.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html