[ietf-dkim] SSP acceptance chart

Douglas Otis dotis at mail-abuse.org
Wed Nov 2 15:22:50 PST 2005 

On Nov 2, 2005, at 11:50 AM, Hector Santos wrote:

> I doubt that an email service, who values customer service and PR  
> as much as the next service, will not disclose a TOS or inform  
> users the change in policies.

Terms of service are irrelevant.  Who is held accountable with  
respect to reputation?  SSP authorization invites the email-address  
domain owner to be held accountable via MUA/MDA extensions.  While  
some providers see this as a major benefit, the only defensive  
strategy permitted by this scheme is to prohibit all third-party  
signatures.

This removes independent use of email-addresses and list-servers, for  
example.  As a general principle, the entity introducing messages is  
held accountable as a means to abate abusive traffic.  SMTP can not  
endure accepting all messages to then apply SSP policies on entities  
unrelated to the introduction of the message.  The added DKIM  
verification process will only make this principle more critical,  
especially with multiple signature stacks.


> In fact, with immediate SSP notification, it will provide legally  
> friendly satisfication of user expectations.

When DSN are often dropped, a query for an optional 'r=' parameter in  
an SSP record may be checked, but unlikely once the email-address  
obtains a bad reputation.  While there may be some feedback resulting  
from this mechanism, there are few remedies available for the email- 
address domain owner.  One would expect the signing-domain granting  
access to the abuser should be contacted instead.  Stopping abuse at  
the source then permits the added security of DKIM.


> There might be risk for the email server who do not perform an SSP  
> only which might cause user mail to be later rejected or worst lost.

I think you are saying that providers should check whether the email- 
address has authorized their domain before sending?  If not, the  
message may be deleted.


> I remain unconvinced that most, if not, significant majority, Email  
> Services, especially commercial ones, will not be interested in  
> protecting their service from unrestricted domain abuse.

This is indeed a common refrain.  Until MUAs are modified, DKIM  
offers no such protection however.  When MUAs are modified, the  
signing-domain should be made visible in some manner.  This could by  
done when an initial message is received, where the user is asked to  
approve these identifiers.  Anytime an identifier appears to have  
changed, or another message looks like a message with retained  
identifiers, they should be alerted.  In that case, there would no  
need for an SSP scheme.  None!  This could be enhanced by offering  
recommendations contained directly within the signature on the scope  
of identifier needed to isolate the author.

-Doug

More information about the ietf-dkim mailing list