On 12/6/20 10:31 AM, Alessandro Vesely wrote:
On Sun 06/Dec/2020 18:01:04 +0100 Michael Thomas wrote:
This actually highlights why my observation is correct. If the
intermediary showed how to reverse their changes perfectly to be able
to validate the original signature, it says nothing about whether
those changes to be delivered to the recipient are acceptable to the
originating domain. for the case of a bank sending me sensitive mail,
the answer is that it is never ok. for somebody working on internet
standards working on ietf lists, the answer is that it is fine. hence
trying to get two states of the one "reject" is insufficient.
For MLM transformations, this choice can be done by tuning DKIM
signatures. A bank can choose to sign Sender: field (or lack
thereof), or any other fields that a MLM has to change, and possibly
use simple canonicalization. In that conditions, transformation
reversion won't work. It isn't a distinct DMARC state, formally.
Yet, tuning DKIM signatures allows to harden or weaken the given DMARC
state.
It seems a lot simpler for the originating domain to just be explicit
about how they feel about transformations by intermediaries. It's not
like another short ascii string is going to break the bank.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
