Re: hack #2 for Yahoo DMARC breakage

["John R. Levine" <johnl () iecc com>]

> 2: introduce an "Original Authentication Results" header to indicate
> you have performed the authentication and you are validating it

This was someone's hack that doesn't work.  The idea is that you make an 
RFC5451 Authentication-Results header for the incoming message, change the 
name to original-authentication-results to circumvent some MTAs that strip 
incoming A-R headers, and send it as part of the signed outgoing message.

The reason it doesn't work is that spammers can add fake o-a-r headers as 
easily as lists can add real ones, so you need to make a whitelist of well 
behaved senders who don't send faked mail so you know whether to believe 
them.  But once you have the whitelist of well behaved senders, you can 
skip the o-a-r stuff and just deliver the mail.

I gather somewhere there is a private non-standard bilateral 
implementation of this, but it still seems like an awfully complicated way 
to do your spam filtering.

Regards,
John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature