[ietf-dkim] Practices protocol naming poll (Closing issue 1550)
dotis at mail-abuse.org
Thu Mar 20 22:17:00 PDT 2008
On Mar 20, 2008, at 9:06 PM, Scott Kitterman wrote:
> On Thu, 20 Mar 2008 23:22:24 -0400 Sandy Wills <sandy at WEIJax.com>
> And Sender is quite often (usually AFAIK) not displayed to the end
> user. Once we're in the land of largely invisible header fields,
> there of no ability to reliably sort out mail that is spoofed from a
> particular domain. Why not include resent-* too.
For this statement to be correct, it might depend on being based upon
the distribution of MUAs and not the number of recipients. Many
recipients will see the From header as a composite of Sender and From
headers when the Sender header is present.
> Unless the protocol is tied to From, it's essentially valueless from
> my perspective. There is not a solution that is both pretty and
> useful. Pick one.
A signature must include the From header within its hash. When the
signature has been created by the domain seen in the From header email-
address, but perhaps on behalf of a different identity, such as the
identity within the Sender header (both sharing the same domain), the
message should be considered complaint with the From (author's)
signing _domain's_ policies. An exception should be made when a key
restricts the local-part of an email-address and this identity is not
within the From header.
More information about the ietf-dkim