> > By selecting specific A-R headers to remove, header content might be > > processed post delivery, and then appear to match against some trusted > > domain.
I believe the Security Considerations of RFC5451 covers this adequately. > For sure, individual recipients may wish to check signatures etc. for > themselves, espeicially if they have doubts about the policies applied by > their local assessors. If the local assessor has unnecessarily removed > sone A-R that is actually covered by the signature, then that becomes > impossible. +1 > > The safest solution would be to remove _all_ A-R pre-existing A-R > > headers from different environments ... > > But that's not what the standard says. +1 > > IMHO, appendix B.6 is overly optimistic for today's environment. Have you seen actual attacks like this in the wild already? > Maybe so, but that document is a proposed standard, and unless you have > plans to get it revised, we must try and work with it as it stands. > Nothing in that example is contrary to what that standard says > normatively. +1 (BTW, does this still qualify as being "on topic" for this list?) _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html