On Mon, Jun 9, 2014 at 11:52 PM, Franck Martin <[email protected]> wrote:
> This is interesting, however it seems to me that DMARC should be more > aware of it if used. > Why? This is a way of satisfying the alignment requirement on the DKIM side. DMARC doesn't need to know it's there. The same is true of ATPS, for example. > I would suggest to sign with a sub domain. This would keep alignement, but > would allow you to see which DKIM signature worked. Once both DKIM > signature work, you would not need the delegated one. > What would make both start working again? The problem we're trying to solve here is that the originator signature is broken by the list, and that's a (theoretically) immutable condition. > I think DMARC should be made aware, so that it apply some constraints on > when this signature is used/valid. May be only when there is a List-ID or > List-Post header present, and the list has DKIM signed the whole message > with its domain. > Anyone can add a List-ID or List-Post header field, so I don't think that adds any additional security. > It would require MLM to not drop DKIM headers... Still some configuration > on MLM side, but less in the way messages are modified > That's a much less visible and thus probably more tolerable change for MLM operators. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
