[mail-vet-discuss] Rfc 5451 extension for reporting other MTA's results
vesely at tana.it
Mon Apr 26 04:28:08 PDT 2010
About a forwarded message X -> Y -> Z, I wrote:
> Y verifies X's signature, writes an A-R line, and signs it. Later on, Z verifies Y's signature. However, Z's A-R will not repeat all of Y's resinfos: Although Z has verified that Y's A-R is pristine, it doesn't take the responsibility of reasserting those claims, even at the cost of significantly increasing the complexity of consuming Y's A-R downstream.
The complexity increase consists of having to identify and inspect the
relevant DKIM-Signature field, count how many times
"Authentication-Results" appears within its "h=" tag, and count
existing A-Rs to check that Y's one was actually signed and verified.
It may seem that this task would be more easily carried out by a
C-written filter on X during signatures verification than by a client
Would it make sense for Z to write something like the following?
resent-dkim=pass header.i=@X.example authserv-id=Y.example
Received: from Y.example by Z.example
Received: from X.example by Y.example
(Multiple forwarders could be arranged in a comma separated list, e.g.
authserv-id=Y2.example,Y1.example for X -> Y1 -> Y2 -> Z.)
I'd really prefer the simpler case of signatures not getting broken.
However, the syntax above would still be useful for reporting spf and
auth results, that can be verified by a single server only.
Just a thought.
More information about the mail-vet-discuss