On 11/24/20 3:24 PM, Brandon Long wrote:
On Tue, Nov 24, 2020 at 2:49 PM Michael Thomas <m...@mtcc.com
<mailto:m...@mtcc.com>> wrote:
Sorry, changing the auth-res to old-auth-res and dkim signing the
message would be completely sufficient, and far easier to understand
with a lot less bloat. All of this hand wringing about dozens of
message
manglers in the path before it get to the destination and not be
able to
figure out which auth-res was which seems wildly out of proportion
for
what the normal case is: 1 message mangler in the path before it
arrives
at the receiver's domain. Just like this message right here.
That's why
I asked how common that was, which was dismissed, but not answered.
Note that this was exactly what we started with,
X-Original-Authentication-Results
and with Google's implementation signing that with
X-Google-DKIM-Signature.
Our version didn't just sign with DKIM-Signature because of the
reasons already stated in this
thread, that our understanding of how DKIM-Signature was being used
made it a poor choice.
Sorry, I didn't see that. Pointer?
Our experience also showed that more than one hop is quite common in
enterprise deployments,
and those are also the places where the most complexity arises.
Others shared our experience
as well.
That's more than one modifying intermediary in *separate* administrative
domains? Within your own administrative domain there shouldn't be an
issue of trust since you can trust your own servers auth-res and that
they are not maliciously trying to forge an auth-res for better
treatment. and course it's best to stop a bad message as soon as
possible in the mail pipeline if for no other reason than why waste the
resources.
You say that your message had 1 mangler in the path, but really you
don't know that. It is
likely that some people on this list are on enterprise accounts who
are behind mangling inbound
gateways (rewriting urls to go through safety checking hops is common,
for example). Or maybe
they are on with University accounts using exchange but forward their
mail to a personal or department
gmail account.
Well sure, I'm sure it can happen but is it common enough to worry
about? And I'm still not convinced that figuring out who signed what and
which auth-res it belonged to is in insurmountable problem. for one,
there are received headers which better not be getting out of order to
help correlate with the messages' path through intermediary verifiers too.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
