[mail-vet-discuss] ADSP and From header authentication?

[Murray S. Kucherawy]

Douglas Otis wrote:
> The sender-auth draft provides a mechanism for use when ADSP records  
> are discovered, the From header field can be captured within an  
> Authentication-Results header.  The purpose of the Authentication- 
> Results header is to convey to MUAs the results of various message  
> "authentication" checks.  Because the Author-Signature definition  
> limits what is allowed within a compliant DKIM signature, neither  
> ADSP, Sender-ID, or SPF can properly be described as providing an  
> authentication of the From header field, PRA, or the MAILFROM email- 
> address respectively.  The Author-Signature definition prevents a  
> complaint signature  "on-behalf-of" value from indicating a From  
> header field has not been authenticated.
>   

I'm afraid I'm missing how the definition of Author-Signature, which is 
a property of the ADSP specification, alters what SPF or Sender-ID can 
claim.

> In addition, the path registration process of Sender-ID and SPF only  
> authorize an SMTP client.  An authorized SMTP client will not safely  
> convey an assurance that the corresponding email-address was  
> authenticated to represent the author or even being a valid use of the  
> email-address.

A consumer of the data presented in this header field would be expected 
to understand what an SPF "pass" or Sender-ID "pass" actually implies 
before acting on it.  There's text covering that in the draft already as 
well, in the "Header Position and Interpretation" section.