> On Nov 11, 2018, at 5:23 AM, Henrik K <h...@hege.li> wrote: > > As I understand, the correct positioning of milter inserted internal headers > would be above postfix's own. But it seems all Authentication-Results are > added below it, so SpamAssassin won't consider them as internal.
While RFC7001 defines "Authentication-Results" as a trace header, and says that it should be placed above other locally added trace headers: https://tools.ietf.org/html/rfc7001#section-2.1 https://tools.ietf.org/html/rfc7001#section-4.1 applications that consume the header should be tolerant of placement elsewhere: Note that there are a few message handlers that are only capable of appending new header fields to a message. Strictly speaking, these handlers are not compliant with this specification. They can still add the header field to carry authentication details, but any signal about where in the handling chain the work was done may be lost. Consumers SHOULD be designed such that this can be tolerated, especially from a producer known to have this limitation. Therefore, your edge systems should remove any "Authentication-Results" headers that claim the same "authserv-id", before prepending their own: https://tools.ietf.org/html/rfc7001#section-2.4 Since agents consuming this field will use this identifier to determine whether its contents are of interest (and are safe to use), the uniqueness of the identifier MUST be guaranteed by the ADMD that generates it and MUST pertain to that ADMD. MUAs or downstream filters SHOULD use this identifier to determine whether or not the data contained in an Authentication-Results header field ought to be used or ignored. With that, the position of the header should be less critical. -- Viktor.