Hector Santos wrote: > Subject: Check your account > Date: Sun, 27 Aug 2006 05:04:42 -0700 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Sender: [EMAIL PROTECTED] > DKIM-Signature: d=bank.com # invalid 1st party > DKIM-Signature: d=asp.com... # valid 3rd party [...] > According to DKIM-BASE, the valid 3PS signature would make > this an valid DKIM message, even if the 1st party signature > failed.
As far as asp.com is concerned it is valid, no hops between you and them manipulated the mail. Maybe one of their users got a legit mail from bank.com and forwarded it to his mailbox behind your MX - but then I'd expect to see a Resent-From or similar. So from your POV it's invalid if the bank.com SSP says so, and if you didn't forget to mention an important header field. But your user might have arranged his forwarding via a munger, then it's the known SPF problem. > it is the unrestricted vs. restricted 3rd party signatures > that we mostly differ at. Atleast that is how I see where > the disagreement lies. It can be both correct: Let's take a realistic example, GMail starts to offer forwarding, but adds some ads plus their own signature, destroying the signature of bank.com. If we have a couple of "MUST reject" and implementations actually doing this they might give up. Something has to give, bank.com, the munger, the verifier, or the user. With mail I expect the worst, the crap is dumped with a big red "fishy" icon into the mailbox of the unhappy user. The user will delete it unread, bank.com will give up its SSP, the verifier gives up to use DKIM... tell me why I'm wrong. Frank _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
