On Sun, 31 Aug 2025, Bron Gondwana wrote:
And of course, when migrating email between servers, the A-R header was added by the server which first received the message. It doesn't (at least now) sign that A-R header. We could make DKIM2 require the receiving system to sign the message (with a terminus record: no rt=, so it's not going anywhere else) as it delivers it into the mailbox. This is not a crazy idea, and one that was in my initial plan for this protocol pre-charter and pre-draft-writing.
That could work give or take the issue that a system is supposed to strip out any incoming A-R headers with its own name, so if a message loops through the same system, it'll break. Or I suppose we could declare that a signed A-R is a trace header but I'm not sure how well that will fly.
R's, John _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
