On 11/26/2015 09:12 PM, Greg Stark wrote:
On Wed, Nov 25, 2015 at 6:55 PM, Tom Lane <t...@sss.pgh.pa.us> wrote:
But my point was that while the RFC says what to put there there's
absolutely no reference anywhere for when the information should cause
any MUA or MTA to behave differently.
Agreed. To my mind that's a reason why Sender should not be DKIM-signed.
Unfortunately, RFC 6376 explicitly suggests doing so ... and it looks like
some people are taking that advice.
Hm, I see it as a reason why signing Sender is reasonable. If it were
a functional header then there might be a reason it would have to be
changed. But if it's purely informational and the receiving MUA is
going to display to the user (which is a bad idea imho but Gmail and
Exchange both do it) then it makes sense to expect some authentication
for it. I think the thinking is basically "sign everything we're going
to present to the user phishers can't claim to be someone they're
not". In which case it's fairly important that things like Sender be
signed. Or that everyone agree it's just a useless header and stop
sending or displaying it.
From DMARC.org's Wiki:
<<< 2 Add an "Original Authentication Results" header to indicate you have
performed the authentication and you are validating it
3 Take ownership of the email, by removing the DKIM signature and
putting your own
as well as changing the from header in the email to contain an email
address
within your mailing list domain. >>>
Read elsewhere: "To allow for forwarding scenarios, DMARC also allows
the *Display From* to be cryptographically signed by DKIM, and if any
unauthorized spammer or phisher were to attempt to assume that identity,
the encryption would fail."
I don't think we should base any action on guesses of what Gmail does.
Google may do something we don't expect that's more complex to work
around the problem. For one thing you can have email addresses at
Google from a number of domains so they may well be able to have more
than one policy for different users.
Yep
I would suggest we stop doing things that are obviously incompatible
with DKIM -- header and body munging for example. And I suspect we can
stop touching Sender without any ill effects too.
One idea might be to add a script to check a user's domain for
p=reject and send them a warning when subscribing (or sending mail to
the list?) warning them of the problem.
Definitively worth the effort, unless an almost perfect solution is found :S
/ J.L.
