[ietf-dkim] Re: ISSUE 1525 -- Restriction to posting by first Author breaks email semantics

Douglas Otis dotis at mail-abuse.org
Tue Jan 22 18:12:01 PST 2008 

On Jan 21, 2008, at 10:57 AM, Jim Fenton wrote:

> You're reading this a little out of context.  This isn't about  
> whether the message is legal or not, it's for determining whether  
> the Sender address can be used as a "tie breaker"to select among  
> multiple From addresses to determine which domain should be used for  
> an SSP lookup.
>
> I'm thinking that if we want to be thorough in handling this case  
> (and the fact that there have been ~110 messages on this thread,  
> despite the fact that it's an exceedingly rare corner case, seems to  
> suggest that we do) then SSP lookups should be performed on the  
> domain(s) of all address(es) in the From header field, excluding  
> those addresses for which there is a valid Author Signature.

Jim,

While RFC 4871 did not impose limits on the number of email-address  
domains contained within the From header, it seems dangerous and  
unlikely supported to suggest all email-addresses fitting within a  
 From header should be searched for SSP records.  Imposing a limit  
requires messages with too many email-addresses within the From header  
to be considered "SSP non-compliant".  Setting a limit would be  
incumbent upon SSP to ensure interchange.  There must be some level of  
email-addresses that are considered compliant.  (Of course, indicating  
a policy is only established by the first email-address within the  
 From header avoids this problem.)

The statement "excluding those addresses for which there is a valid  
Author Signature" needs to be rephrased.  This really depends upon the  
definition given "Author Signature" of course.  To make this clear,  
the statement would be-

  excluding those addresses for which there is a valid
  signature where the d= domain tag is at or above the
  email-address's domain.  Signatures using a g= restricted
  key will be considered SSP non-compliant for "strict"
  or "all" when not on behalf of an email-address within
  the From header.

This clarification overcomes yet another corner case where an office  
admin within the same domain sends a message on behalf of their  
manager.  This definition allows the signing domain to both indicate  
they sign "all" mail, and accurately indicate which entity introduced  
the message.  The signature's domain is seen as valid for the From  
email-address, while also being on-behalf-of the Sender email-address  
within the same domain.  The only exception needed would be for g=  
restricted keys.

-Doug

More information about the ietf-dkim mailing list