On 11/23/20 11:49 AM, Brandon Long wrote:

    I imagine that the vast majority of intermediaries that break
    signatures
    number exactly one extra domain, so it's not very hard to reconstruct
    the chain of custody from origin to destination. Assuming the
    intermediary resigns with the incoming auth-res, the destination can
    choose to believe that auth-res or not, right? Since this is an
    experiment, do we have an idea of what the rest of the problem is
    after
    the typical mailing list-like signature breakers are excluded?


No, as in the RFC says to remove them, so it's a standard part of implementation.

RFC 7601 4.1:

    instances of the header field that appear to originate within the
    ADMD but

    are actually added by foreign MTAs will be removed before delivery.


That's very different than "just maybe it might be removed"

The receiving MTA in the next domain doesn't have to discard the information before removing it. The act of removing it is so there isn't confusion about the ultimate auth-res, especially with MUA's. The incoming MTA is free to consider the previous auth-res just like it's free to consider the previous arc auth-res.

Mike

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to