John Levine writes: > >Even if I grant you that (and I'm not sure I do), I also don't > >know why OAR is better than AR. > > I get the impression there are two reasons for OAR: > > a) A-R is likely to be stripped by intermediate MTAs, OAR isn't. > > b) whoever suggested OAR didn't understand A-R semantics
You're joking, right? >From the O-A-R I-D: Some sites wish to take into consideration such authentication results claimed by trusted intermediaries, effectively extending the trusted channel to specific external entities. Although [AUTHRES] includes support for this notion, this separate mechanism is simpler, more robust, and requires no changes to existing authentication infrastructure. Therefore, this document defines a new field called Original- Authentication-Results. The content of the field is identical to that specified in [AUTHRES]. This field is required to be unique, appearing only once in a message, and thus it is possible to determine conclusively whether or not it is included in the part of the header covered by a signature. I think that's clear enough, although you might dispute whether it actually works as advertised (seems to, to me). It also seems good enough for 95% of all mailing list usage, including the "spear- phishing through an ML" case described earlier. I wonder if the d, s, i fields in DKIM could somehow be coopted to create a conventional authserv-id for A-R. That could make it easy to identify the "right" A-R in a header with multiple such. (Ignoring the case of a 3rd party deliberately introducing fake duplicates, which would make the message suspect all by itself.) Regards, _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc