On 3/25/2021 2:23 PM, John R Levine wrote:
While I am not opposed to a future tweak to DMARC to add some way to
say
that A can sign for B, even if we did it, it would be a long time if
ever
that DMARC verifiers implement it. RFC 6541 added a third-party
signature
option to DKIM in 2012, and after nine years, nobody implements it.
Wildcat! SMTP implements RFC6541 "Authorized Third Party Signature"
(ATPS)/ I'm sure I am not the only one and/or others have the options
to enable it.
There are wizard for ADSP+ATPS and DMARC+ATPS:
https://secure.winserver.com/public/wcADSP
https://secure.winserver.com/public/wcDMARC
It works in proving the assertion by a 1st party Author Domain
authorization for the existence of a specific 3rd party signer domain
signature. Results are stamped in "Authorization-Results" header.
Add "atps=1" to your DMARC record and create a ATPS record to
authorize 3rd party signature domains.
These domains are authorized to resign mail for the domain isdg.net
jchjykxmwknbyfge2bg4td6add264olh._atps TXT ( "v=atps01;
d=winserver.com;" )
kjshf2duqstols65zbhuytbbyr3zdecf._atps TXT ( "v=atps01; d=gmail.com;" )
lykm653kj7yxeia665va7lszzthcx7jj._atps TXT ( "v=atps01;
d=beta.winserver.com;" )
pq6xadozsi47rluiq5yohg2hy3mvjyoo._atps TXT ( "v=atps01; d=ietf.org;" )
tudfisabn5dz3vjm2kxcehc5attdbqh6._atps TXT ( "v=atps01;
d=santronics.com;" )
It can be managed like any other system.
This allows receivers to support a MAILING LIST that has resigned mail
- the key problem we had since ADSP and now since DMARC because DMARC
never bothered to even address the main concern with ADSP - the lack
of a method to authorized a 3rd party.
ATPS offers it.
As to why the IETF.ORG mailing list does not support it or explore it
and has chosen instead to rewrite, I don't know, but its so simple ---
a DNS Lookup without any 5322.From tampering.
--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc