[Asrg] where the message originated
Michael Thomas
mike at mtcc.com
Mon Jan 12 12:24:24 PST 2009
Franck Martin wrote:
> I have run a series of tests, where I sign a message (sent by me) but with only the Return-path containing my domain (DKIM does not sign the return-path as recommended in the spec).
>
> I used the DKIM reflectors on www.dkim.org
>
> and the assessment I got was: neutral (none of the signed field contain the domain of the signer).
>
> like if it is wrong.
>
> I think it should be a pass. I fear that many people that verify DKIM make the same mistake.
Note that this not about DKIM but about SSP/ADSP and Authentication-Results.
I believe that the SSP/ADSP result should be neutral, but that the DKIM
result is "pass". A lot of the reflectors haven't been updated for quite a
while, and the earlier drafts of Auth-Res didn't make a distinction between
DKIM and SSP/ADSP. So, true to form, differing implementations did differing
things in the face of the ambiguity.
>
> I'm thinking of adding an X-header that will contain my domain and sign it via DKIM and see if the reflectors are happier.
I _think_ that my reflector does the right thing in that it separates out the
dkim results from the ssp results, but I'm pretty sure that it's out of date
wrt both the new auth-res draft and the adsp draft.
In either case, an X-header isn't going to change anything. The ADSP part is
always keyed of of the real live From address.
Mike
More information about the Asrg
mailing list