On Thu, May 8, 2025 at 6:03 PM John Levine <[email protected]> wrote:
> It appears that Bron Gondwana <[email protected]> said: > >So if there's anything ARC currently does better, I'd want to see if we > can implement that into DKIM2 as well. One case that has already been > discussed is > >the signed Authentication-Results headers, and I would be very keen for a > `DKIM2-Authentication-Results: ... > > I have mixed feelings about this. On the one hand, a likely model for > mailing > lists, borrowed from ARC, is to look back through the chain and if the > original > message was DMARC aligned, accept the list's version. If you can just pick > the > DMARC result our of a header, that would be nice. On ther other hand, a > buggy or > malicious system could lie about A-R results, so I was wondering how you > could > check for that. > > When I look at the A-R headers in my mailbox, I see results for DKIM, > DMARC, and > SPF. If DKIM2 recipients undo the changes and check the chain of > signatures, > they're going to know about each DKIM2 signature anyway. You can't recheck > the > SPF result, but we all seem to agree that if SPF isn't dead, it should be. > If > you have the DKIM results, it's trivial to figure out DMARC alignment. I > don't > see anything useful in the A-R header that the recipient doesn't know, or > couldn't easily figure out. > > Am I missing something? > > While I am mostly in agreement with your assessment, I should add nuance and describe where a DKIM2-Authentication-Result might be useful. Indeed I agree that DKIM2 can replace SPF and improves by permitting independent verification of an earlier receiver's result. Where DKIM2-Authentication-Result can be helpful is to provide a convenient place to show intermediate MTA DKIM2 validation results and the context of those computations as comments that may be helpful for debugging. For example in the larger thread there are comments saying the abuse enforcement is really up to the receiver's local policy. While this has always been the prerogative of the receiver, the problem is that the sender may be confused by the enforcement action, and DKIM2-Authentication-Result may provide a means to communicate the reason for a particular decision if bounced (or to the recipient if quarantined) as a comment. Regular Authentication-Result headers wouldn't suffice because they are sometimes deleted by intermediaries. I would agree that DKIM2-Authentication-Result is not essential for DKIM2 to work. Folks who already do ARC may wish to continue generating DKIM2-Authentication-Result for the reasons I just mentioned. Other folks who have not adopted ARC will likely not bother updating their infrastructure for DKIM2 to support DKIM2-Authentication-Result. -Wei
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
