Thanks, this is useful.
What would the Authentication-Results header look like? Presumably 3 results for DKIM (dkim=fail, dkim=pass, dkim=pass)? And what about DMARC? Show one result or two? Or maybe something like dmarc=conditionalpass? -- Terry ________________________________ From: Murray S. Kucherawy <superu...@gmail.com> Sent: Monday, May 18, 2015 6:18 PM To: Terry Zink Cc: Dave Crocker; dmarc@ietf.org Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy On Mon, May 18, 2015 at 5:36 PM, Terry Zink <tz...@exchange.microsoft.com<mailto:tz...@exchange.microsoft.com>> wrote: > I've implemented it now in libopendkim as a compile-time experimental feature, > and it took me about four hours including testing. I just have to add it to > the plugin > that uses the library, and it'll be available for others to play with. Can you give an example of what the stamped headers will look like? Ideally on receipt by a list subscriber, the message would have the following DKIM signatures: DKIM-Signature: v=1; d=authordomain.example; s=selector; ... DKIM-Signature: v=2; d=authordomain.example; s=selector; !cd=mlm.example; l=0; ... DKIM-Signature: v=1; d=mlm.example; s=foobar; ... Things of note: 1) I changed "@fs" to "!cd" versus what John specified. I prefer "!" because we're calling that a "mandatory tag", and "cd" stands for "conditional domain" rather than "forward signature". Mostly personal preference, but I'd argue they're more correct (for some value thereof); I'll change them to wherever consensus lands if we decide we want to adopt this proposal. 2) I understand there's unresolved debate about updating "v=". I'll conform to that too when we make a decision. 3) The choice to do a weak signature using "l=0" was merely exemplary. There are other choices, like which header fields to sign or use of "l=<original-length>", that can result in something weaker without being that wide open. 4) Similarly, I didn't set an expiration on the !cd signature, but should. 5) I've actually listed the signatures above in the opposite order I'd expect to see them on receipt. 6) The theory is that even if the author signature fails, the conditional author signature would be more likely to pass but is not valid without the MLM signature. libopendkim would report this to the caller as valid in the crytpo sense, but also note that the condition was not satisfied, so there's an error code associated with it. 7) Ultimately the caller sees all three signatures and their respective results. If the original author signature survived, it's available to influence message disposition as well as the others. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
