Incoming SMTP in the year 2017 and absence of DKIM (fwd)
John R. Levine
johnl at iecc.com
Sat Dec 2 19:51:16 CST 2017
In article <6134b4a7-9da8-2935-e9f6-e4374b3fdba4 at spamtrap.tnetconsulting.net>,
Grant Taylor via NANOG <gtaylor at tnetconsulting.net> wrote:
>The only way that I can think of is for the originating mail server to
>DKIM sign the message twice, 1st with the classic DKIM-Signature w/o the
>!fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a
>value of of the recipient's domain.
>Is this what you were intending? A list of DKIM-Signatures linked via
Yup, with the chain typically having no more than one or two links,
since legit forwarding of the kind that might break DKIM is pretty
rare more than two deep.
>If I do understand correctly, I think that it's intriguing. I'm not
>aware of anything else that would work quite the same way.
That was the plan. I thought it was pretty clever, but like I said, the
large mail systems that developed ARC wanted to put the control with the
recipients, not the senders.
More information about the NANOG