On Mon, Oct 15, 2018 at 7:30 AM Hector Santos <hsantos= [email protected]> wrote:
<elided earlier part of the message> > The rewrite should be the last thing to consider, and if it does > rewrite, it should replace the original author domain strong policy > with its own strong policy. > > For example, the ietf.org mailing list has begun to rewrite and it > replaces the 5322.From with a dmarc.ietf.org domain, adds a new > X-Original-From header and resigns the message using an ietf.org > signer domain: > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; > s=ietf1; > t=1537415189; bh=TJWGUVdPL8OTY+HJnUzpBRd52OaKfWjFqS68Cby0s/M=; > h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: > List-Archive:List-Post:List-Help:List-Subscribe:From; > b=..... > X-Original-From: Hector Santos <[email protected]> > From: Hector Santos <[email protected]> > > What it should do is: > > 1) It should use a 1st party signature using d=dmarc.ietf.org to > match the new author domain dmarc.ietf.org. > > 2) It should has hash bind the X-Original-From header to the > signature. Since DKIM recommends not to bind "X-" headers, > a non "X-" header should be used, i.e. "Original-From:". This > means adding the header to the 'h=" field to avoid potential > mail resend exploits using different unprotected Original-from: > fields. > > 3) and finally, the dmarc.ietf.org domain should have its own > DMARC p=reject policy to effectively replace the one it > circumvented with the submission. > I don't understand why it is necessarily a bad thing to fall back to the org domain (ietf.org) as this example shows. I also don't understand how your suggestion would work to handle a mixture of restrictive policies (some quarantine, some reject) with a single _ dmarc.dmarc.ietf.org record unless there is some trick DNS responder magic going on (and that won't work well for cached responses anyway). --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
