Charles Lindsey wrote:
> On Wed, 03 Jun 2009 17:13:02 +0100, Murray S. Kucherawy
> <m...@cloudmark.com> wrote:
>
>>> WTF is the point of inserting an A-R header if you are not willing to
>>> take responsibility for what you have done by signing it?
>>>
>>> And why should anyone else believe your A-R if you have omitted that
>>> elementary step?
>> Because, if you've followed the RFC defining it, the border MTA has
>> removed any others present that could possibly be misinterpreted by
>> internal agents.
>
> Yes, but that is the MTA at MY border. I would expect the assessor at MY
> border to have indicated some degree of suspicion if the A_R header it was
> about to remove (before substituting its own) was not included in the
> signature that accompanied it.
The cases, IMO, of when a ar-header is useful from a foreign domain
are vanishingly small, so removing it is just a matter of good hygiene.
If capturing its essence is important, I suppose that we'll first see
border mta software using it for something. To my knowledge, nobody is.
(foreign a-r that is).
>> You're not required to sign them, but it's not a bad idea.
>
> Then why are people on this list not trying to enocourage that good
> practice? Indeed, why are they so vociferously trying to DIScourage it?
Because it's a marginal case. At Cisco, the only thing that I'm aware*
that we were using a-r for was generating gross statistics, where what
even a trusted foreign verifier -- which we had none -- were useless for
what we were using it for. Maybe we were outliers, but I doubt it.
[*] yes a couple of us were using ar to color messages in our muas, but
we were a pretty self-selected, self-interested population
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
