Michael Thomas wrote:
I frankly don't think it's anybody's business which mta a should or
should not
add an auth-res. There's nothing we can do to prevent this sort of
behavior, and I certainly wouldn't change mine based on this draft.
it's the job
of the incoming domain to strip out potentially untrusted auth-res
anyway.
Any MTA that is concerned about client security and misinterpretation
should strip out ALL AR headers except for its own. Anything else opens
up ambiguities in terms of who the client can trust. The client still
has to make a determination as to whether it can trust even the one AR
it sees. That is going to be difficult enough. This is why a better
solution would be an IMAP extension combined with an SMTP extension.
The defaults here are bad.
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html