[ietf-dkim] SSP thought experiment
dotis at mail-abuse.org
Fri Aug 4 11:55:31 PDT 2006
On Aug 4, 2006, at 11:05 AM, John L wrote:
> a) "SIGN ALL MAIL" and "DO NOT USE ANY SERVICES KNOWN TO DAMAGE
> THEIR SIGNATURES"
> b) "SIGN ALL MAIL"
> I want to put "ALL MAIL HAS TOM SWIFTIES" in my SSP.
> Assuming you agree that's ridiculous, what's the practical
> difference to people using SSP between that and b) above?
The From email-address DKIM policy represents a partial or complete
list of signing domain (valid sources). Whether partial or complete,
this list might allow recipients to verify that 90% of the From
domains have a valid association with the signing domain. This
leaves a remaining 10% that must be treated according to the
reputation of the smtp client or a non-designated signing domain.
However, a client DKIM policy transaction offers a means to greatly
improve the odds of blocking abuse with DKIM.
Require that all DKIM client use a "_dkim.<host-name>" that can be
verified with a simple Address record lookup. This would enable a
DKIM client policy. The DKIM client policy can assert "ONLY SEND
SIGNED DKIM MESSAGES." A client that does not authenticate or does
not sign with DKIM can then be blocked.
DKIM client policy will prevent a significantly greater number of
abusive messages without creating delivery issues for valid
messages. For DKIM to succeed, it must not cause delivery problems
or support issues.
More information about the ietf-dkim