- Forwarding signature
The IETF DMARC list is discussing a mutant weak DKIM signature from a sending system (e.g. Yahoo and AOL) that would survive forwarding, but contains a list of forwarding target domains. It's only considered valid if it's with a signature from the forwarding domain, i.e., the list.
This is nice for list operators, since it requires nothing beyond not stripping the signature header, and signing on the way out.
How does this list of forwarding target domains get specified? Is this something the user has to do when they're sending the message?
It'd typically be the list domain, on the theory that lists will sign their outgoing mail with their own domain. If lists aren't signed with the list domain, some kludge would be required at the sending end, but it's intended to be fully automated.
It is my impression, having talked to tech managers at several large web mail providers this week, that if they could do something like this without a huge amount of effort, they probably would. They'd probably only add it on mail going to legitimate forwarders (for some definitions of legitimate and forwarders) but the large web mail providers already have a pretty good idea who those are.
R's, John