On Sun 06/Dec/2020 19:47:24 +0100 Michael Thomas wrote:
On 12/6/20 10:31 AM, Alessandro Vesely wrote:
On Sun 06/Dec/2020 18:01:04 +0100 Michael Thomas wrote:
This actually highlights why my observation is correct. If the intermediary
showed how to reverse their changes perfectly to be able to validate the
original signature, it says nothing about whether those changes to be
delivered to the recipient are acceptable to the originating domain. for the
case of a bank sending me sensitive mail, the answer is that it is never ok.
for somebody working on internet standards working on ietf lists, the answer
is that it is fine. hence trying to get two states of the one "reject" is
insufficient.
For MLM transformations, this choice can be done by tuning DKIM signatures.
A bank can choose to sign Sender: field (or lack thereof), or any other
fields that a MLM has to change, and possibly use simple canonicalization.
In that conditions, transformation reversion won't work. It isn't a distinct
DMARC state, formally. Yet, tuning DKIM signatures allows to harden or weaken
the given DMARC state.
It seems a lot simpler for the originating domain to just be explicit about how
they feel about transformations by intermediaries. It's not like another short
ascii string is going to break the bank.
A stated policy is certainly more explicit about the intent. However, it is
subject to receivers interpretation and I-dont-care syndrome.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
