-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, Jim Fenton <[email protected]> writes >On 20 Jan 2025, at 16:49, Richard Clayton wrote: > >> not really ... the issue that had been overlooked relates to a good >> sender who hires someone to send their mail. One of the destinations >> fails and the report goes back to the sender not to the intermediary who >> is looking after the destination list. The same issue arises with >> mailing lists in that individual contributors learn of delivery failures >> whereas it is in really a matter for the list owner to deal with. > >Please check my understanding of this: In this situation, wouldn’t the good >sender use their own address (not their client’s) as the MAIL FROM address >(which presumably is signed now), and wouldn’t the bounce go to that address >normally?
that is what many intermediaries do ... but then DMARC alignment can become an issue. Also there are some cases where an ESP (hired by a brand) subcontracts delivery to another intermediary and both hops 2 and 3 could usefully see DSNs >It’s not clear to me that one needs to walk back down the chain to >have the bounce go to the right place. the advantage of the DKIM2 chain is that there is cryptographic assurance that all entities handled the mail. You have some assurance with DKIM1 but this is not tied to the transport in a robust manner >> the back-scatter issue relates to accepting email via a chain of >> intermediaries and being unable to generate a delivery failure report >> because of the risk of forgery... (so related, but a different balance >> of good and evil). > >I guess in this case the bogus sender might forge a MAIL FROM address and >DKIM2 >sign with that address, causing the bounce to be misdirected. In the DKIM2 scheme we have outlines the MAIL FROM is irrelevant .. a DSN only uses DKIM2 header fields to determine where it is to be sent Since they cannot sign a forged address they cannot cause DSNs to go to a third-party - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a Benjamin little temporary Safety, deserve neither Liberty nor Safety. Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZ474ZmHfC/FfW545EQI50ACg0p3y+dfsRxOWtR2rBGtvjDPAYuMAn3cT /9H+e2VtKPJLxsGHxanH2/mp =cfIk -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
