Douglas Otis writes: > After all, DMARC permits the weakest authorization as a basis for > acceptance, so it would be misleading to describe DMARC results as > having been *authenticated*.
Well, no, it isn't necessarily misleading. According to RFC 4949, authentication = identification + verification, while authorization is a permission to do something. For example, in DKIM "d=" identifies the Signing Domain and "b=" + a DNS lookup provides the data needed for verification. At that point you have in fact authenticated the Signing Domain, and with From alignment (and the additional assumptions that the key is available only to the Author/Signing Domain and that the Author Domain authenticates users) you have authenticated the "authorization to use that mailbox in From." (You could add a lot more caveats -- there is a lot of attack surface in email. :-( ) Some similar statement is true for SPF (at least under favorable conditions :-). AFAICS authenticating that particular authorization is precisely what DMARC claims to do, although the I-D uses different words to say that. Anyway, AIUI, the question we're trying to address in Milestone One is how does that affect third parties on the assumptions that (1) mail receivers are satisfied that DMARC does what they think it does and (2) such mail receivers respect "p=reject". _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
