dotis at mail-abuse.org
Thu Jul 27 16:22:31 PDT 2006
On Jul 27, 2006, at 3:40 PM, Jim Fenton wrote:
>> 3) have the ability for the policy statement say that a provider
>> (s) legitimately signs for that domain.
> The potential scaling problem with multiple providers in (3) is one
> of my main concerns with this approach. I have heard of
> enterprises with upward of 100 authorized mailers, so this has real
> potential to be an excessively long list.
For large enterprises, establishing formalized arrangements where
either a zone is delegated or a private key and selector information
is shared with trusted vendors will likely be a typical solution.
For a vast number of mom and pop outfits, a list of providers
offering their outbound services would likely never require anything
more than a few names. If mom and pop are also active on many
mailing lists, they may also want to express their list as "open-
ended" at this time.
> I have a somewhat less tangible concern, too. If example.com
> publishes an SSP record saying that some mail provider is an
> authorized sender, and there is an abuse problem, will example.com
> feel the same responsibility for the use of their address as if the
> message had been signed directly "by" their domain? They may not,
> and I view any spreading of the responsibility to be undesirable.
Regardless of the OA, spam will reflect poorly upon the signing
domain. Reports of abuse and expectations of who will resolve an
abuse issue always falls to the signing domain. There will not be
any "spreading" of responsibility. There is no means to know whether
the OA is even valid! The identity of the OA depends upon the
assertion made by the signing domain.
> We have put in lots of mechanisms for domains to delegate signing
> authority: they can delegate individual keys, the entire
> _domainkey zone, or a subdomain of that. Mailing providers are
> free to use the same keypair to sign for all of their customers, if
> they want to assume that risk, and they only need to apply the
> right domain name and selector when they sign. Is that really a
> big burden?
Yes. For a mom and pop outfit depending upon their ISP for outbound
mail service, setting up DKIM signing or zone delegations would be a
big burden. The support required to handle key or zone arrangements
would be an increased expense that might impeded DKIM adoption.
Setting up a static DSD list should be much less effort. The DSD
should also represent a significantly lower burden for smaller
outfits. They should still obtain improved annotations and be
affording added protections when their list is closed. If there is a
problem, mom and pop would then know where to complain, their
provider. They can always find a new provider as well.
More information about the ietf-dkim