It appears that Richard Clayton <[email protected]> said: >>> 4 repeat until you get back to the original state of the message or a >>> "z" recipe tells you that you need to unconditionally trust >>> someone... they presumably have placed an Authentication-Results >>> header field into the message and you have to use that for your DMARC >>> and/or reputation calculations. >> >>I guess in this case A-R has to be signed? What handling is suggested in >>such a "z" case if you _don't_ trust the modifier? > >if you don't trust someone who modifies a message then I think you >should refuse to accept the message.
The idea of the "z" tag is that it's for filtering front ends like Proofpoint and Mimecast that rewrite URLs and strip attachments. They would only be doing that to mail sent to recipients who are paying them to do it. This does mean that remailing such a message back out won't work with DKIM2 but I haven't seen a lot of mail like that. The rewrites tend to appear in replies or forwards that are new messages so they're OK. R's, John _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
