In other words, if you have a gmail account and a yahoo account, there
is no reason to believe that either gmail or yahoo will see the other's
messages unless you are forwarding one to the other.
Well, duh. That's why you can only believe a gmail AR header from the
gmail account, and a yahoo header from a yahoo account unless you know
enough about the paths between them to know what's a real forward and what
isn't. If you have a third mailbox that doesn't do AR at all, you
probably need to ignore all the headers that account might send you,
gmail, yahoo, or otherwise. That's why I've been saying over and over and
over that an AR message is only credible if it arrived via a good path.
Tying the header name to the account is one way to do that BUT NOT THE
ONLY WAY, and in setups more complicated than your end user sitting at the
end of a VPN to HQ, often not even a feasible way.
To remedy that situation you have to leave a gaping security hole for
all others.
Sigh. Only if everyone involved are complete idiots. We seem to have
dealt adequately with the problem of forged received headers. Why do you
insist that the same people who can do that can't deal with forged AR
headers?
Because it can do harm if done wrong. Providing a false sense of
security is not helpful.
I guess I hold people in less contempt than you do.
If I sound extremely frustrated, it's because I am. Your argument boils
down to saying that since everyone else isn't as smart as you are and
their mail setup is more complicated than yours, it's too dangerous to
give them better tools.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html