I don't ever expect to see authentication results headers showing up
under From/To/Cc headers. However, I do expect to start seeing the
results of *reputation lookups* to start appearing for those messages
that have been verified to be from certain domains and/or users. That
verification will come from a variety of mechanisms, including the use
of dkim, domainkeys, smime, openpgp, goodmail, trusted
authentication-results headers and parameters, etc. The merging of
domain/user-verification with various reputation services is what I and
many others are interested in seeing.
Tony Hansen
tony(_at_)att(_dot_)com
Douglas Otis wrote:
On Nov 10, 2008, at 8:50 AM, J.D. Falk wrote:
On 07/11/2008 16:59, "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:
When users become suspicious of a message, they are likely to
examine as much as they can, which of course includes the headers.
You've never met a real user, have you?
Speaking like a true boomer. Is this your opening into a career as a
legal witness. :^ )
I hope you are not suggesting it is okay to add deceptive headers to
email because users, when in doubt, never examine them?
Makes one wonder why practically _all_ email applications provide a
means to display either 'select' or 'all' headers. Imagine having
Authentication-Results headers appear below the Cc: header as a
default setting. : ^(
While it is normal to delete emails that leak past filters and
reputation checks, recognized email addresses are still more likely to
receive greater attention. When Authentication-Results headers appear
to confirm that a link or attachment originated from a trusted party,
who should be liable when this proves malicious and not having
originated from the party that appears to have been "authenticated"?
If Authentication-results headers were to improve security, and as the
draft suggests, reputations should be checked as well, then why aren't
identifiers that should be checked not included in the header?
If no one is looking, who would be confused by including relevant and
essential information? A cynic might expect the underlying reason is
to direct complaints to the hapless domains, rather than responsible
email-providers. After all, authorization is once removed from any
bad act. One may have let someone drive their car, but why only
include the identification vehicle owner in an accident report? The
IP address more closely represents who was in control of introducing
the message, and represents the most important identifier that should
always be checked. Can you explain why the IP address is missing in
the case of path registration methods?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html