[ietf-dkim] The URL to my paper describing the DKIM policy options
Michael Thomas
mike at mtcc.com
Sun Jul 30 15:55:16 PDT 2006
Jim Fenton wrote:
>Hector Santos wrote:
>
>
>>With a signature existing, you will always need to check the SSP in order to
>>check for a "Never Sign" or "We don't send mail from domain. Its Forged"
>>expectation.
>>
>>So you always need to check for SSP first.
>>
>>
>>
>So you mean "with a valid signature existing?" If so, isn't that a
>contradiction in the published information, so why should I assume SSP
>is right?
>
>
Especially when you consider that would be a big fat juicy target
for a would-be DOS attacker: spoof SSP "i don't send email" policy
and now all of the sudden legitimately signed mail looks extremely
suspicious.
Mike
More information about the ietf-dkim
mailing list