[Pete as participant...]
On 23 Jul 2025, at 19:25, Allen Robinson wrote:
1) For signature chains with exactly one signature, the signature's
domain and the domain in the 5322.From must be aligned.
By having the initial signature be from the domain aligned to the
From or Sender header...
If we're going to go down this path (and I'm not saying doing so is a
good idea), then I think the intention is "the signature's domain and
the domain in 5322.Sender must be aligned". 5322.Sender is what's in the
Sender: header field if it is present and what's in the From: header
field if it is not.
That said, of course the 5321.MailFrom domain doesn't need to be
identical to the 5322.Sender domain (let alone 5322.From domain)
according to either of those specs, but I do understand that
operationally many anti-spam engines might consider such a mismatch "a
bad sign".
2) For all signature chains, the topmost signature's domain and the
domain in the 5321.From must be aligned.
5321.MailFrom. I presume "topmost" here means "the most recent".
In the end, the whole discussion of alignment might more appropriately
go in an operational considerations section or BCP-like document
describing how information in these signatures is likely to be used in
the wild. That seems less like protocol and more like implementation.
pr
--
Pete Resnick https://www.episteme.net/
All connections to the world are tenuous at best
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
