On 7/13/2020 2:28 PM, Joseph Brennan wrote:
2) draft-crocker-dmarc-sender
This is an elegant solution. It puts the burden of change-- creating a
Sender field in all cases, and a variant DMARC record-- on the domain
owner who wants to send mail and use DMARC rules. The use of Sender
complies with RFC 5322, since it is optional whether to create Sender
when it is the same address as From.
With this implemented, developers of mailing list software can stop
figuring out which way to violate RFC 5322 in order to make mail
deliverable, and developers of clients do not have to create and
display a new Author field. Big win, for widespread acceptance, I
would say.
Sender: is already set by most MLM, if not all. Error-to: is also set
for compatibility reasons.
The proposal for policies to depend on Sender with a From fallback
does not resolve the 3rd party authorization problem.
We currently have two identities:
- ADID Author Domain (5322.From) Identity
- SDID Signer Domain (5322.DKIM-Signature d=) Identity.
We also have the well-defined and recognize distinction:
- 1st party where ADID is equal to SDID
- 3rd party where ADID is NOT equal to SDID
The ideal DKIM model is to do a:
- 1st party, no problem, with the self-signed signature. No need to
do a DNS-LOOKUP if ADID is equal to SDID. However, there were
consideration for a NO MAIL policy. It was determined we can do this
a null public key.
- 3rd party, Policy lookup based on ADID to determine if SDID is a
legitimate resigner. We have no protocol for this.
Adding Sender (lets give it an acronym SRDID) to the mix does not
change the authorization problem. Under these resigner conditions, the
SDID=SRDID would be expected to be the same domain this making SRDID
redundant.
One way to do this is with the ADID adding a SDRID or SDID DNS record
which is how ATPS "Authorized Third Party Signer" works.
Another way is use a non-DNS based conditional signature idea.
There is also TPA. Supposedly, it scales better than ATPS as a DNS
record lookup proposal.
--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
