[dmarc-discuss] Original Authentication Results
Murray S. Kucherawy
msk at cloudmark.com
Wed Feb 29 14:38:50 PST 2012
Hello DMARC community,
One of the adjunct proposals that DMARC might make use of is the concept of transitive trust. The general idea is as follows:
- A sends mail to B; A applies a DKIM signature or has an SPF record that attests to the sender's responsibility for the message
- B conducts DKIM or SPF validation of A's message
- B now alters the message in some way
- B re-mails the message to C, such as in a mailing list scenario
For SPF, the relay nature of this arrangement virtually guarantees that C's evaluation will fail. For DKIM, the alteration B makes invalidates the signature. In either case, C will get a double-fail.
In the case where C explicitly trusts B, B could make some kind of annotation to the message that indicates "When I got this message, DKIM and/or SPF passed. You can, if you wish, believe me when I say so." C could use this to lend credibility to the message and apply reputation even though it was not able to make a positive determination about the valid use of the evaluated domain name itself.
Although a specific application of Authentication-Results (RFC5451) could theoretically serve this purpose, the deployed base might find doing so difficult (or perhaps more importantly, easy to get wrong). Specific semantics have to be applied for that to work. The DMARC development team therefore is advancing an adjunct proposal that can be found here: https://datatracker.ietf.org/doc/draft-kucherawy-original-authres/
Reviews and comments of that document would be welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dmarc-discuss