[mail-vet-discuss] Draft as of 9/4/2007

[Damon]

> Authentication-Results: example.com
>            dkim=pass (good signature) header.i=@list-expander.example.com
> Received: .........
> Received: .........
> Received: .........
> Dkim-Signature: ...... d=example.com; i=list-expander.example.com;
>            h=...:Authentication-Results:...; ...
> Authentication-Results: example.com
>            dkim=pass (good signature) header.i=@sending.domain
> Received: by list-expander.example.com ...........
> Received: .........
> Received: .........
> Received: .........
> Dkim-Signature: ........... d=sending.domain ..........
>
> Just to be awkward, I have made the two Authentications to within the same
> trust boundary, but it need not be so. The various Received:s could have
> been added anywhere.
>
> So clearly an MUA should look at the top Authentication-Results: first,
> and then at the lower ones, believing them or not as he sees fit. But in
> this case, it is clear that the lower Authentication-Results: is as valid
> as the first, and example.com should clearly leave it in place (contrary
> to what you have written in 4.1). Example.com may also have tried (and
> failed, because the list-expander had broken it) to verify the lower
> signature), and might even have recorded that as a dkim=fail.
>
<snip>
Could also be used to find that an authenticator is broken or misbehaving.

Regards,
Damon