From mboxrd@z Thu Jan  1 00:00:00 1970
From: tih@hamartun.priv.no (Tom Ivar Helbekkmo)
Date: Sun, 24 Sep 2017 08:52:38 +0200
Subject: [TUHS] Excessive bouncing ... argh!
In-Reply-To: <1506211413.2463391.1116102400.5185FFC5@webmail.messagingengine.com>
 (random's message of "Sat, 23 Sep 2017 20:03:33 -0400")
References: <20170921223420.GA27231@minnie.tuhs.org>
 <m27ewprgys.fsf@thuvia.hamartun.priv.no>
 <1bfefa2f-4433-0d13-5972-ffb92bae3fa1@tnetconsulting.net>
 <1506211413.2463391.1116102400.5185FFC5@webmail.messagingengine.com>
Message-ID: <m27ewosi4p.fsf@thuvia.hamartun.priv.no>

random832 at fastmail.com writes:

> Do the standards provide a way to allow mailing lists (or other kinds
> of forwarders) to get around this?

They do.

> Maybe by having the original mail server digitally sign the message
> and allowing it to be forwarded with the signature intact.

That's called DKIM.  :)

An early attempt at protection against forgeries was SPF, which is a way
to tell recipients (by way of DNS) which mail servers are allowed to
send mail from a given domain.  That's too simplistic, though, as it
doesn't provide for mailing lists or other forwarders.

Adding DKIM, you get a cryptographic checksum covering a few headers,
and the body of the message.  The receiving mail system can use this to
verify that the sender is who the message claims.  The bits that are
checksummed have to be intact, though: the mailing list (or other
forwarder) must not modify the From:, To:, Date:, or Subject: headers,
nor the body of the message.

Finally, DMARC is a DNS based way to specify what to do with a message
that claims to be from your domain, but fails both SPF and DKIM
checks -- i.e. it's being delivered by a non-authorized mail system, and
it also lacks a verifiable DKIM signature.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay