Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add text to A/S about what mail agents should do/not do with Received header fields #85

Open
aamelnikov opened this issue Feb 28, 2023 · 3 comments
Open

Add text to A/S about what mail agents should do/not do with Received header fields #85

aamelnikov opened this issue Feb 28, 2023 · 3 comments
Labels
component_email-applicability-statement

Comments

@aamelnikov
Copy link

No description provided.

@aamelnikov
Copy link
Author

Initial suggestion is to add something like this:

"Received header fields are not normally useful to the
end user, becoming useful only when there are delivery
problems with a message or when the message itself is
problematic or suspicious for some reason. Their
content is also fairly easy to fake should someone
desire to do that. Therefore, if anyone or anything
receiving a message pays attention to such fields that
it did not insert (or otherwise have reason to trust),
they should be used with care, whatever
information seems to be valuable used as appropriate,
but with no assumptions of trust especially when syntax
or values occur that are not defined by the
specifications [rfc5321bis] [rfc5322bis]."

@ksmurchison
Copy link

ksmurchison commented Jul 1, 2024
edited
Loading

@aamelnikov now prefers the current text in Section 3.2.2:

Received header fields are primarily for use when there are concerns about a message, such as to analyze handling or delivery problems, or to aid evaluation of a message with suspicious content or attributes. Received header fields are easily created and have no direct security or privacy protections.

Therefore, the fields do not warrant automatic trust. They should be used with care, for whatever information is deemed valuable, and especially when syntax or values occur that are not defined by the specifications [I-D.ietf-emailcore-rfc5321bis] [I-D.ietf-emailcore-rfc5322bis].

@ksmurchison
Copy link

ksmurchison commented Jul 16, 2024
edited
Loading

Dave Crocker suggests tweaking to the current text to:

Received header fields support analysis of handling and delivery problems, as well as aiding evaluation of a message with suspicious content or attributes. The fields are easily created and have no direct security or privacy protections, and the fields can contain personally identifiable information.

Therefore, the fields do not warrant automatic trust and do warrant thoughtful disclosure to others. They should be used with care, for whatever information is deemed valuable, and especially when syntax or values occur that are not defined by the specifications [I-D.ietf-emailcore-rfc5321bis] [I-D.ietf-emailcore-rfc5322bis].

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component_email-applicability-statement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aamelnikov @ksmurchison