Google applies annotation signatures from <domainname>.<digits>. gappsstmpt.com, with periods replaced in the domain name. Microsoft applies proxy signatures from <domainfragment>.onmicrosoft.com
In both cases, the signatures appear to be an assertion by the hosting service that the message was processed by a particular client of their service. I call this a proxy signature If, as I am hoping, the signature indicates that the message has been authenticated to the indicated domain, then it provides a defense against SPF upgrade attacks. Evaluators can require that messages from the hosting service have a domain or proxy signature. Messages which are from the hosting service, but have neither a domain signature nor a proxy signature, are not authenticated, even if they pass SPF. Is this worth standardizing as a best practice (in a future document)? Doug Foster
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
