On 11/23/20 11:49 AM, Brandon Long wrote:
I imagine that the vast majority of intermediaries that break
signatures
number exactly one extra domain, so it's not very hard to reconstruct
the chain of custody from origin to destination. Assuming the
intermediary resigns with the incoming auth-res, the destination can
choose to believe that auth-res or not, right? Since this is an
experiment, do we have an idea of what the rest of the problem is
after
the typical mailing list-like signature breakers are excluded?
No, as in the RFC says to remove them, so it's a standard part of
implementation.
RFC 7601 4.1:
instances of the header field that appear to originate within the
ADMD but
are actually added by foreign MTAs will be removed before delivery.
That's very different than "just maybe it might be removed"
The receiving MTA in the next domain doesn't have to discard the
information before removing it. The act of removing it is so there isn't
confusion about the ultimate auth-res, especially with MUA's. The
incoming MTA is free to consider the previous auth-res just like it's
free to consider the previous arc auth-res.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc