Several differences: I am not worried about From authentication of ESP messages because I have concluded that the major ESPs can be trusted to authenticate their clients. The client might be malicious, but the identity will not be forged.
Along the same lines, ESPs are not doing forwarding so I don't have to deal with the identity confusion that forwarding creates. ESP signatures affirm their own identity only. They are not client-specific. If I had a lot of incoming forwards, I might be interested in the ESP signature when the ESP Mail from identity is lost. Without that problem, ESP signatures are redundant. In short ESPs have none of the risks associated with shared tenancy mail servers like Outlook.com. In that environment, SPF Pass with alignment is a weak validation of the From domain, and even that is sometimes lacking. DKIM is still best. Google's client-specific DKIM signature is an intermediate level of validation and it is useful to me. The client-specific signatures in Outlook.com are likely to be useful but I need to do more investigating. Smaller hosting services will have trouble gaining trust, even if they use client-specific signatures, so the concept is not likely to scale up But it works for me. Doug On Mon, Jun 10, 2024, 9:55 PM Neil Anuskiewicz <neil= [email protected]> wrote: > > > On Jun 7, 2024, at 1:14 AM, Richard Clayton <[email protected]> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In message <[email protected] > il.com>, Douglas Foster <[email protected]> writes > > Google applies annotation signatures from <domainname>.<digits>. > > gappsstmpt.com, with periods replaced in the domain name. > > Microsoft applies proxy signatures from <domainfragment>.onmicrosoft.com > > > pretty much every ESP adds a DKIM signature of their own ... it will not > in general be aligned, but the DMARC reports will provide useful info. > > > Yes, there’s almost always a default signature signed by a domain owned by > the ESP. > > I think that’s this practice was started, in part, to ensure getting > successfully on all the feedback loops. Now obviously you can add a second > signature signed with your own domain. With many of the larger ESP’s, as we > likely all know already, aligned SPF isn’t an option. You can DKIM sign but > you have to leave the envelope from to the ESP. > > Neil > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
