[ietf-dkim] SSP acceptance chart
dotis at mail-abuse.org
Wed Nov 2 15:22:50 PST 2005
On Nov 2, 2005, at 11:50 AM, Hector Santos wrote:
> I doubt that an email service, who values customer service and PR
> as much as the next service, will not disclose a TOS or inform
> users the change in policies.
Terms of service are irrelevant. Who is held accountable with
respect to reputation? SSP authorization invites the email-address
domain owner to be held accountable via MUA/MDA extensions. While
some providers see this as a major benefit, the only defensive
strategy permitted by this scheme is to prohibit all third-party
This removes independent use of email-addresses and list-servers, for
example. As a general principle, the entity introducing messages is
held accountable as a means to abate abusive traffic. SMTP can not
endure accepting all messages to then apply SSP policies on entities
unrelated to the introduction of the message. The added DKIM
verification process will only make this principle more critical,
especially with multiple signature stacks.
> In fact, with immediate SSP notification, it will provide legally
> friendly satisfication of user expectations.
When DSN are often dropped, a query for an optional 'r=' parameter in
an SSP record may be checked, but unlikely once the email-address
obtains a bad reputation. While there may be some feedback resulting
from this mechanism, there are few remedies available for the email-
address domain owner. One would expect the signing-domain granting
access to the abuser should be contacted instead. Stopping abuse at
the source then permits the added security of DKIM.
> There might be risk for the email server who do not perform an SSP
> only which might cause user mail to be later rejected or worst lost.
I think you are saying that providers should check whether the email-
address has authorized their domain before sending? If not, the
message may be deleted.
> I remain unconvinced that most, if not, significant majority, Email
> Services, especially commercial ones, will not be interested in
> protecting their service from unrestricted domain abuse.
This is indeed a common refrain. Until MUAs are modified, DKIM
offers no such protection however. When MUAs are modified, the
signing-domain should be made visible in some manner. This could by
done when an initial message is received, where the user is asked to
approve these identifiers. Anytime an identifier appears to have
changed, or another message looks like a message with retained
identifiers, they should be alerted. In that case, there would no
need for an SSP scheme. None! This could be enhanced by offering
recommendations contained directly within the signature on the scope
of identifier needed to isolate the author.
More information about the ietf-dkim