On 30/05/2025 17:36, Dave Crocker wrote:
- It is technically false to claim that single-recipient is
necessary.
Please provide examples that provide similar benefits with multiple
envelope addressees.
This topic was discussed in the /Multiple rcpt-to's/ thread. Basically,
we can assume that all To:/Cc: addresses are legit, since that's what
the author intended. A verifier shall compare the envelope RCPT address
with each of the To:/Cc: (not a challenging task). If none match, this
can be a replay case. The To: and Cc: must be signed, but the sending
can be done based on MX grouping, as usual.
For replay, the forwarder's signature covers a DKOR which indicates the
envelope recipient. For Bcc:, it is the author domain signature. In
both cases, the message must be addressed to to a single recipient.
What conclusions can a receiver draw from the presence (or absence) of a
DKOR field? It can help reconstruct a forwarding chain, which is
useful. However, in most cases where the recipient is not in To:/Cc:,
there are only two hops. In that case, DKOR only tells me that the
sender implements DKOR, all reputation considerations being equal.
Answering these questions is a good reason to bring forward, with DKOR,
the full implementation of DKIM2.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
