In draft-ietf-marf-spf-reporting we changed the address construction rules to use a localpart from the new mechanism published in DNS and the SPF domain in order to limit the abilty of random third parties to point this kinds of reports at unrelated receivers who may not be prepared for them (and retired a security consideration in the process).
We did not (I now notice, thanks to Alessandro Vesely's not on the subject in the SPF draft, make a similar change in the DKIM draft. I think we should. My proposal is to drop 3.1. Extension DKIM Signature Tag and change the address construction in the ra= tag to use the signing domain (d=) in the signature. In this manner the reports will only go back where they came from (in a general sense). Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
