[mail-vet-discuss] Auth-Results issues? #11 section 9 examples

Tony Hansen tony at att.com
Wed Mar 22 22:19:52 PST 2006


In section 9.2, an A-R is shown that does not do any authentication.
Therefore, there is no verified identity and the headerspec
header.from=sender at example.com should not be shown. It hasn't been verified.

In sections 9.3, it shows an MTA adding an A-R header based on auth. I'm
sorry, but this is an impossible case. Authentication is done when the
message is submitted, not by the receiving MTA. These will almost
*never* be the same server. Also, it is specified with an smtp.mail
headerspec, which is wrong for auth, which should be using smtp.auth
instead of smtp.mail.

In section 9.4, an example is shown that combines auth=pass with
spf=pass. I'm sorry, but this is an impossible case. Authentication is
done when the message is submitted, whereas spf is checked by the
receiving MTA. These will almost *never* be the same server. Also, they
are combined under the smtp.mail headerspec, which is wrong for auth,
which should be smtp.auth instead of smtp.mail.

In section 9.5, an example is shown that combines a sender-id check with
a dkim check, both under a headerspec of header.from=sender at example.com.
This is wrong for several reasons. The sender-id check can certainly be
used that headerspec. But dkim does not 1) provide an identity from the
From: header, and 2) does not provide for user id validation. And again,
an auth=pass and an spf=fail are combined together, which is wrong as
was discussed in section 9.4.

	Tony Hansen
	tony at att.com


More information about the mail-vet-discuss mailing list