At 10:40 22-01-2008, Siegel, Ellen wrote:
If you have an authentic claim of responsibility from a trustworthy
party (as per #1), why should it matter whether that party is
represented by the From: header or the Sender: header? And why, if
the authenticated party in the Sender: field is trustworthy, should
it be required that the From: domain is authenticated directly?
It doesn't matter if we trust that party but see example below.
If example.com is a bank and example.net is an ISP who is a
trustworthy party, would you trust an email for which example.net
claims responsibility if the From: shows an example.com author?
See RFC 5016, Section 3.2 (Problem Scenario 2: Illegitimate Domain Name Use).
Regards,
-sm
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
