[ietf-dkim] Re: DKIM and mailing lists

Douglas Otis dotis at mail-abuse.org
Mon Jan 23 13:09:41 PST 2006 

On Jan 23, 2006, at 12:14 PM, Miles libbey wrote:

> This is very interesting. For our antispam system I'd like to be  
> able to distinguish between mailing list traffic and person to  
> person traffic, since they largely have very different  
> characteristics.

It is possible direct person to person traffic and list-server  
traffic use the same signing domain.   The proposal for the 'w=?'  
parameter is to identity three roles.  The MSA, mediator, and MDA.  
The MDA is intended to provide a non-deliverable signature, used in  
much the same way as a non-routable IP address for local networks.   
When the signature includes a meditator designation, rules regarding  
the use of headers can be so tailored.


> In this sense, to me, 'do the right thing' would be to re-sign the  
> message -- we've been able to use Yahoo! Groups (re)signing as a  
> feature.

Agreed, but the domain itself may not be a clear indication that the  
role of the MTA is a mediator and there are more mediators than just  
list-servers.  This would be more important when DKIM is attempting  
to identify the source of originating email (MSA), and ensure it is  
not confused with mediators such as list-servers, where it could be  
seen otherwise as a spoof attempt.


>  I'm sure that others could easily argue that doing the right thing  
> is to leave the message in a way that encourage the final receiving  
> system to check the initial signature, so they could apply rules  
> based on the original author.

The concern there would be whether an anti-replay strategy develops  
that attempts to hold the receiving domain accountable for replay.  I  
can not imagine how one could use DKIM  to safely hold the email- 
address accountable.  The replay abuse could just as easily occur  
from the recipient.  As a general rule, accountability should be  
focused on the domain as a practical and manageable level of  
resolution.  There is virtually zero cost associated with adding  
additional email-addresses, so what would a email-address reputation  
be worth?

-Doug

More information about the ietf-dkim mailing list