On Dec 15, 2008, at 7:58 AM, Victor Duchovni wrote:
If downstream filters or MUAs want to use IP reputation and not
domain reputation (whether the domain is authenticated, or verified
to have authorized, ...) they need the IP address regardless of any
domain authentication protocols, and don't really need an A-R header
at all.
Victor,
Happy to see there is agreement about the Sender-ID or SPF mechanism.
When any Authentication-Results header annotation is being applied, as
the draft suggest, reputation of the source should checked. In the
case of Sender-ID or SPF, the most critical reputation check would be
that of of the SMTP client address as seen by the border MTA.
Unfortunately, the Authentication-Results draft fails to capture this
IP address in the case of Sender-ID or SPF. In addition, there is no
sure way for a consumer of the Authentication-Results header to
determine this IP address. The IP address MUST be captured by the
Authentication-Results header or using this header will be extremely
prone to exploitations that can not be mitigated.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html