[ietf-dkim] Should DKIM drop SSP?
markd+dkim at yahoo-inc.com
Wed Oct 26 18:01:33 PDT 2005
> Risks to valid messages associated with these policies and a lack of
> a defensive strategy remain the greatest risks to a successful
> outcome. There are several that see From email-address authorization
> mechanisms as the means for abating spam. I see this as a dead-horse,
I disagree completely. Since we're talking about a sender policy, each
sender is at liberty to inflict as much (or as little) damage on their
own traffic as they see fit. As a receiver, I have zero problem with
that. If BofA can convey to me that no one can use their domain in
2822.From unless authenticated, I'd love to oblige.
More importantly, the ability to constrain inappropriate use of a
domain is clearly the number one desire of high value domains. SSP is
often the *only* thing of interest to these folk wrt email
authentication. They could care less about the bits involved in
implementing DK, DKIM, SPF, Caller-ID, whatever. They care about the
consequential outcome and the levers they have to protect themselves.
Far from being a dead horse, a workable SSP is probably the primary
motivation for adopting DKIM by such folk. If this group can't make
SSP/DKIM be a basis for solving those needs then we'll lose our most
valuable constituency - senders of value to our recipients.
... and I do emphasize "basis". In a years time, maybe BofA will ask
us to reject content that contains their URL unless authenticated. I'm
amenable to that. In two years time they may ask us not to release a
BofA password from our Crypto-Wallet excepting to a matching
authenticated URL. I'm amenable to that too.
I'm sure we'll get this SSP wrong. We will miss a whole bunch of
stuff. Exploiters will show our failings as soon as we ship. But we
will have a basis for SSP2 and maybe by SSP4 we'll get it mostly
right, but we need SSP1 to get the ball rolling.
More information about the ietf-dkim