On Thursday, August 20, 2020, Jesse Thompson <jesse.thompson= 40wisc....@dmarc.ietf.org> wrote:
> On 8/20/20 4:00 PM, blong=40google....@dmarc.ietf.org wrote: > > Neither atps or spf include are really designed for large scale usage > > That's my conclusion, as well. I don't want to authorize every potential > MLM to use all addresses in all of our domains cart blanch, even if I would > otherwise trust them (e.g. their purported ARC results). > > I *do* want to authorize our *own* MLM(s) to use our own domains for > *internal* use... so I thought for a minute... maybe ATSP has merit for > small scale usage, as an alternative to SPF include? But no, I don't know > if any MLM has a way to check to see if they are authorized via any > mechanism, so they will continue to munge the From header for our > DMARC-enabled domains anyway. So, for this *internal* use case, maybe I'll > just check the ARC result from the trusted MLM and replace the From header > with the value of Reply-to/X-Original-From, and call it a day. > > Jesse > This is why I proposed a tag that would have a value consisting of the authorized intermediary domain. It would only be valid for that message. Because the tag is signed separately from the rest of the message, it should survive even if the intermediary modifies other parts of the message. If the intermediary DKIM signs the modified message with their own signature, that provides some assurance to the receiver. I haven't seen enough favorable response to justify working on a detailed submission to the group. I'm not an IETF standards wonk. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
