On Fri 08/Oct/2021 18:18:45 +0200 Dave Crocker wrote:
On 10/8/2021 9:09 AM, Scott Kitterman wrote:
So originator includes From and Author and signs both. Then the mediator
(e.g. MLM) minges From and signs again. Receiver checks DMARC and it
passes. Then receiver sends feedback to both Author and From domains?
The purpose of the Author field is to retain some information that presumably
won't get modified. Whether to actually 'believe' that information is a
different matter, just as it is for all other header fields. And let's be
clear that including a field in a DKIM signature does NOT validate its contents.
Whether signed fields are validated depends on the signing domain's policy.
Some do check that From: is valid. If they add Author:, I'd expect they
faithfully copy it from From:.
Unfortunately, there is no automated way to learn a domain's policy.
DMARC adds to the semantics with its definition of alignment. It's part of
DMARC, not DKIM.
So it's certainly reasonable to include the Author: field in the set that
produce the DKIM signature, but that inclusions does not have any semantic
other than it didn't get changed since the signing. Data integrity is nice but
is quite different from validation.
If the author's domain signed Author:, then a receiver knows that they are
aware of the mailing list problem and presumably interested in validation
results. So, I would send them an aggregate report in that case. If Author:
was added by a mediator, I'd report to the From:'s domain only.
Of course, if the signature does not validate, the tag h=Author:... could have
been counterfeited by a malicious mediator, possibly in a DoS attempt at
overflowing the Author's domain rua mailbox. I think such worry can be neglected.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
