Scott Kitterman writes: > In order to ensure OAR was added by the ML (or whoever you trust to > add it correctly) you're going to have to grovel through the > received fields and see if the MTA you trust added the field.
Re: groveling. Received fields are easy to fake and nobody signs those (what would that mean, anyway?) Obviously you need to sign any *AR you did yourself, or nobody should trust it. That should make it "easy" to determine trust. Am I missing something? Besides the complexity of chains of trusted authenticators, of course. Obviously further protocol would be needed there. Steve _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
