On Jun 10, 2014, at 2:47 PM, Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Mon, Jun 9, 2014 at 11:52 PM, Franck Martin <fra...@peachymango.org> wrote: > This is interesting, however it seems to me that DMARC should be more aware > of it if used. > > Why? This is a way of satisfying the alignment requirement on the DKIM side. > DMARC doesn't need to know it's there. The same is true of ATPS, for > example. > > I would suggest to sign with a sub domain. This would keep alignement, but > would allow you to see which DKIM signature worked. Once both DKIM signature > work, you would not need the delegated one. > > What would make both start working again? The problem we're trying to solve > here is that the originator signature is broken by the list, and that's a > (theoretically) immutable condition. > > I think DMARC should be made aware, so that it apply some constraints on when > this signature is used/valid. May be only when there is a List-ID or > List-Post header present, and the list has DKIM signed the whole message with > its domain. > > Anyone can add a List-ID or List-Post header field, so I don't think that > adds any additional security. > > It would require MLM to not drop DKIM headers... Still some configuration on > MLM side, but less in the way messages are modified > > That's a much less visible and thus probably more tolerable change for MLM > operators. Dear Murray, It would be helpful to reference TPA-Label instead of ATPS. ATPS can never be deployed. While List-ID will not in itself confirm the message source, when used as condition for authorization will help ensure recipients can use this header to sort messages. I am about to update this draft to help clarify why the TPA-Label approach is still better than several of the other quick fixes being suggested. Regards, Douglas Otis
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc