[ietf-dkim] Re: 3rd party signing (designated and non-designated)
dotis at mail-abuse.org
Mon Jul 31 11:42:17 PDT 2006
On Jul 31, 2006, at 10:13 AM, Hector Santos wrote:
> We were seeing quite of few invalids Domainkeys with fake domains
> that do not exist. Are we expecting DKIM to be exception to this
> obvious abuse rule?
DKIM will not reduce the level of abuse. Bad actors are equally
capable of signing, mimicking non-DKIM use scenarios, and acquiring
new and used domain names. DKIM coupled with additional methods to
associate message elements with that of the signing domain should
improve delivery. An association with the signing domain with other
message elements may also assist during the envelope phase.
> Keep in mind, with DKIM-BASE, we have a methodology that says
> "Ignore Invalids." How does anyone expect this unprotected
> methodology to not be exploited.
Don't expect DKIM to be widely adopted when this means that mailing-
lists and the like leads to delivery failures. Permit a reasonable
policy statement that enables simpler modes for utilizing DKIM. DKIM
without policy still provides tremendous benefit.
> With DKIM-SSP, it helps eliminate the high potential abuse of
> "Ignore Invalids."
Please don't think of OA policy as an obstacle that email must
avoid. Bad actors are most able at navigating around impediments.
Think of policy as a means for small outfits to obtain an alternative
method for the signing domain to be associated with the OA domain.
In general, obstacles will block valid messages, but eventually few
abusive messages. Aggressive blocking based upon policy will raise
support costs and cause user dissatisfaction will little impact upon
the overall level of abuse. Alternatively, an association between
the OA and signing domain might improve delivery (avoid delays or
placement in the junk folder).
In exceptional cases where transactional messages are being spoofed,
there is also the issue of just the display-name being visible, look-
alike, and international domain names where spoofing might continue
despite strict DKIM policy. Blocking this form of abuse requires
comparing content within the message against known good sources of
such content based upon appearance. This type of effort seems beyond
DKIM policy, although DKIM sans policy assists in reducing the false
positive rate of this process.
More information about the ietf-dkim