-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected] il.com>, Douglas Foster <[email protected]> writes
>Google applies annotation signatures from <domainname>.<digits>. >gappsstmpt.com, with periods replaced in the domain name. >Microsoft applies proxy signatures from <domainfragment>.onmicrosoft.com pretty much every ESP adds a DKIM signature of their own ... it will not in general be aligned, but the DMARC reports will provide useful info >If, as I am hoping, the signature indicates that the message has been >authenticated to the indicated domain, then it provides a defense against >SPF upgrade attacks. Evaluators can require that messages from the >hosting service have a domain or proxy signature. since the "proxy signature" has an ESP specific (and perhaps hard to discern) linkage to the RFC5322 From I don't think this gains you very much. In practice ALL messages from the hosting service servers will have a DKIM signature applied, it's just hard to be sure how it is related to the actual mail flow ARC at least makes the provenance of the email that has been relayed to you rather more clear. > Messages which are from >the hosting service, but have neither a domain signature nor a proxy >signature, are not authenticated, even if they pass SPF. that's a way of saying "ignore SPF if no DKIM at all". >Is this worth standardizing as a best practice (in a future document)? Since the WG declined to provide an indicator for "ignore SPF when there is a valid aligned DKIM signature" I doubt this has much chance of widespread approval, let alone acceptance as a Best Practice. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZmLBFd2nQQHFxEViEQJpagCgpgHc8nzolRYGvb4a/6jECP9ToFgAoKcm 5DXi3hQL99414v1KjchG/iNQ =r7CH -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
