[ietf-dkim] Are verifiers expected to query SSP on a successful
verify?
Douglas Otis
dotis at mail-abuse.org
Mon Jul 31 10:04:53 PDT 2006
On Jul 31, 2006, at 9:42 AM, Arvel Hathcock wrote:
> > I guess I had been making the assumption that an SSP query is only
> > necessary on a verification failure. Some of the conversations
> seem to
> > suggest that an SSP query will be needed regardless of the
> success of
> > the verify. Is that the case at all? The uncommon case? The common
> > case?
>
> Currently, the policy of "I don't send mail" would require an SSP
> query for each message. That is making less and less sense to me.
> Either a signature (which covers the From: domain) is there or it's
> not. If it's there what more could SSP usefully contribute to the
> process?
The policy would be checked for the OA domain when there is not a
valid signature from that domain. When checking the OA domain
policy, it could be apparent that this domain never sends mail by
having an empty designated signing domain list and a flag that
indicates that non-designated domain are not used. This would not
involve any additional transactions than already required. The
benefit would be the immediate handling of invalid signatures in this
case.
-Doug
More information about the ietf-dkim
mailing list