[ietf-dkim] Re: Attempted summary

Douglas Otis dotis at mail-abuse.org
Sat Jan 28 14:34:35 PST 2006 

On Jan 27, 2006, at 2:37 PM, John Levine wrote:

>> Associating the signature with the signing host (or listname at host)  
>> is what I expect a mailing list would do.  But the reputation  
>> decision is required to really know that it's a list.  It's not  
>> sufficient to see a list-id or any other header field to know its  
>> role.
>
> I don't understand why you need to know it's a list.  If phoo.com  
> has a good reputation, why does it matter whether it's signing list  
> mail or individual love letters?

A DKIM signing-domain may not prove suitable for white-listing when  
replay abuse can not be controlled adequately.  There is no means to  
vet individuals for low cost or free services.  Perhaps the DKIM  
signing-domain may be limited to block-listing.  As such, DKIM will  
offer little acceptance value as bad actors might  not sign their  
messages or stage abusive message replays when their messages are  
signed.

There could still be value obtained by DKIM as an indication of the  
message source, simply to prevent spoofing.  Assume there is a next  
generation MUA or mail-filter.  You may wish to have messages marked  
when the source for a particular entity has been confirmed.  At the  
same time, you may also wish to be alerted when there appears to be a  
spoof of that message.  Perhaps this would allow you to update the  
registry that contains sources of important correspondents.  By  
allowing the signer to purport their role, these messages would not  
be marked as being a valid source for these important messages  
(unless these sources were also registered) and thus would not create  
false conflict alerts.


> Anyway, on my system the lists all live in separate subdomains to  
> make them easier to manage, the signature would likely be in its  
> own domain separate from the one that love letters use anyway, so  
> if the lists were notably better or worse than the individual  
> messages, they'd have a separate reputation domain anyway.

This may be true for this case, but it would not always be true.

-Doug

More information about the ietf-dkim mailing list