[dkim-ops] [Q] _adsp._domainkey.klunky.co.uk - is this correct, and should I use it

McDowell, Brett bmcdowell at paypal-inc.com
Mon Feb 14 06:46:52 PST 2011


My quick comments for anyone considering ADSP:

ADSP is great if 100% of the mail you send from your domain is actually compliant to ADSP's strict definition of what an "author domain signature" is (and "discardable" is fine if you don't mind losing mil that traverses mailing lists).  So that's really the starting point for anyone considering ADSP.  But the second step is to go out and get a feedback loop from some intermediaries or mailbox providers.  Without visibility into what is happening with your mail after an authentication result is established, you are blind to your deliverability (which is not healthy because your false-positive rates could spike and you'd never know).

Some day ADSP will have to be "fixed" or "replaced" with something more useful to a broader set of use cases, and more usable in terms of facilitating the right kind of reporting/feedback loops.  But that's a story for another day ;-)

In the meantime, we are getting utility from ADSP.

-- Brett


On Feb 13, 2011, at 9:42 PM, Jim Fenton wrote:

> On 02/09/2011 07:25 AM, John Levine wrote:
>>> However, I did not know about the _adsp_ record.  I know that
>>> dkim-filter will look for this.
>>> 
>>> 	i) Should I add one.
>> Unless your name is Paypal, please don't.
>> 
>> ADSP is debatably of some use for the elite group of senders whose
>> domains are widely forged, and whose recipients are likely to suffer a
>> significant loss if they're fooled by the forgeries.  For the other
>> 99.999% of senders, it's just a way to ensure that some of your real
>> mail is thrown away.
>> 
> 
> A dissenting opinion:
> 
> I have been using ADSP "dkim=all" for quite some time from this domain 
> and have had no indication that any of my mail has been dropped.  Note 
> that my mail usage patterns are consistent with dkim=all (messages 
> always go through my MTA that does the signing), but I do send through 
> mailing lists such as this one that undoubtedly invalidate my DKIM 
> signature.
> 
> "dkim=discardable" is really intended for the domains John describes: 
> transactional domains like PayPal that (1) sign all their messages, (2) 
> don't generally send through mailing lists, etc. that invalidate their 
> signatures, and (3) would rather that a valid message be dropped than to 
> have a spoofed message make it through.
> 
> I'm not trying to kick off a new debate but thought that I should point 
> out that John's opinion isn't universally held.
> 
> -Jim
> _______________________________________________
> dkim-ops mailing list
> dkim-ops at mipassoc.org
> http://mipassoc.org/mailman/listinfo/dkim-ops




More information about the dkim-ops mailing list