On Wed 30/Sep/2015 16:42:19 +0200 John Levine wrote: >> >> [R]equire conventional, full DKIM signatures. Why? It seems to me that any >> DMARC authentication method could suffice. That is, the author domain >> (!fs signer) could be SPF authenticated by the MLM; and the MLM could be >> SPF authenticated by list recipients. No? > > You're mixing levels here. dkim-conditional describes a new way to create a > valid DKIM signature. I wouldn't want to try to describe how a DKIM > validator is supposed to stop and take a detour through an SPF validator to > decide what to do next.
At DKIM level, validators had better just describe their results. For example, a MLM may want to know if the !fs-signature of an incoming message is good, although its required DKIM signature is obviously still missing at that stage. At DMARC level, it is straightforward to describe how a verifier retrieves conditionals, and state that one or more of the Authenticated Identifiers must be aligned with at least one of the !fs= domains in that case. Please note that such statement would modify RFC 7489, as expected of a DMARC fix. Anyway, the advantage of operating at DMARC level is the ability to receive feedback on missing !fs conditionals, not just to enable SPF. Feedback would be based on fo= rather than on p=. Therefore, semantics and maintenance of the internal lists of domains which trigger weak signing would be improved, both at large and at small mail sites. Ale _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
