On April 8, 2014 7:50:37 PM EDT, Nic Bernstein <[email protected]> wrote: >On 04/08/2014 06:35 PM, Scott Kitterman wrote: >>> what's the canonical solution to interoperating in a DMARC >>> >with p=reject enabled world and where is it documented? >>> > >>> >http://dmarc.org/faq.html#s_3 >>> > >>> >And I quote: >>> > >>> >I operate a mailing list and I want to interoperate with DMARC, >what >>> >should I do? >>> > DMARC introduces the concept of aligned identifiers. It means the >>> >domain in the from header must match the d= in the DKIM signature >and >>> >the domain in the mail from envelope. >>> >You have a few solutions: >>> > >>> > • operate as a strict forwarder, where the message is not changed >and >>> >the validity of the DKIM signature is preserved >>> > • introduce an "Original Authentication Results" header to >indicate >>> >you have performed the authentication and you are validating it >>> > • take ownership of the email, by removing the DKIM signature and >>> >putting your own as well as changing the from header in the email >to >>> >contain an email address within your mailing list domain. >> In other words: don't be a mailing list. >> >> Scott K > >Forgive my ignorance, but what's wrong with option #2, "introduce an >"Original Authentication Results" header to indicate you have performed > >the authentication and you are validating it"? Seems like a perfectly >reasonable thing to do. Am I missing something? > -nic
It's only interesting if I trust the MTA adding the OADR not to lie to me. If I trust them that far I probably don't care about the OADR results because I probably trust them enough not to send me crap. Scott K _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
