[ietf-dkim] Should DKIM drop SSP?
dotis at mail-abuse.org
Thu Oct 27 15:04:27 PDT 2005
On Oct 26, 2005, at 8:30 PM, Hector Santos wrote:
> So as a SMTP vendor, I really don't care what your mail is about,
> who is
> from, etc, as long as you are who you say you are and if need be,
> you can be
> contacted and/or mail can be returned (bounce). In other words,
> "play by
> the rules" of the transport and email system.
Fortunately, the policies established by the recipient can be much
stronger than those established by the government or SMTP vendors.
Playing by the rules should include not sending unsolicited bulk email.
> So to me, DKIM with a strong SSP checking concept, provides another
> level of
> transaction consistency checking that may be used by the SMTP-DATA or
> POST-SMTP process to perform a final PAYLOAD check. I don't
> believe this
> checking should include a "REPUTATION" concept at this level. I
> think "DKIM
> signing consistency" is the key goal.
I am not against the repudiation aspect of non-signed messages. The
objection results from not considering which domain introduced the
message. The current SSP is not compatible with current email
practices and aimed specifically at establishing unfair reputation
assessments on email-address domains, rather than signing-domains.
Ask yourself why SSP precludes a signature that is is not bound to
some email-address. There could still be assertions that all servers
within a domain signs all messages. See I-D.crocker-csv-csa-00 for
> In all cases, it is about verification of the transport process
> entities and
> since we lack this with the current SMTP protocol, augmenting it
> with DKIM
> should at the very least be strongly offer a consistency model, not
> a weak
DKIM should identify the domain associated with the email message
transport. It is over-reaching, to say the least, when attempting to
use this mechanism to verify the author of the message. Leave that
effort to OpenPGP and S/MIME. By establishing the accountable
domain, abuse can be handled in a more efficient manner than it is
today. This would also afford opportunistic identifications akin to
that used with SSH. I don't think this aspect has been given any
More information about the ietf-dkim