From: Dick St.Peters [mailto:stpeters(_at_)NetHeaven(_dot_)com]
Sent: Thursday, August 18, 2005 2:32 PM
Graham Murray writes:
<...>
So I envision something like this: first, use v=spf1 to check the MAIL
FROM, then use spf2.0/pra to check the "i=" tag if present or the M$
PRA if not, then use DKIM to classify the signature verification
state. All that remains then is specifying a matrix of what to do
with all the results.
I probably better duck ...
Not at all, this is a good thing to discuss. You've presented a big picture
for mail validation, something that often gets lost. In the above you
validate MAIL FROM with spf-classic and validate a PRA (however you
determine it) with spf2. At that point, you've validated the domain that
sent the message and validated the PRA in the 2822 headers. What does
further validation of a DKIM signature add?
A second minor question is can we rely on the sender's "i=" tag to identify
the PRA? Could that assertion be a lie, even if the DKIM signature
validates? I haven't thought this through (establishing the PRA is hard),
I'm just posing the question.
--
Seth Goodman