[ietf-dkim] SSP thought experiment
Douglas Otis
dotis at mail-abuse.org
Fri Aug 4 11:55:31 PDT 2006
On Aug 4, 2006, at 11:05 AM, John L wrote:
> a) "SIGN ALL MAIL" and "DO NOT USE ANY SERVICES KNOWN TO DAMAGE
> THEIR SIGNATURES"
>
> b) "SIGN ALL MAIL"
>
> I want to put "ALL MAIL HAS TOM SWIFTIES" in my SSP.
>
> Assuming you agree that's ridiculous, what's the practical
> difference to people using SSP between that and b) above?
The From email-address DKIM policy represents a partial or complete
list of signing domain (valid sources). Whether partial or complete,
this list might allow recipients to verify that 90% of the From
domains have a valid association with the signing domain. This
leaves a remaining 10% that must be treated according to the
reputation of the smtp client or a non-designated signing domain.
However, a client DKIM policy transaction offers a means to greatly
improve the odds of blocking abuse with DKIM.
Require that all DKIM client use a "_dkim.<host-name>" that can be
verified with a simple Address record lookup. This would enable a
DKIM client policy. The DKIM client policy can assert "ONLY SEND
SIGNED DKIM MESSAGES." A client that does not authenticate or does
not sign with DKIM can then be blocked.
DKIM client policy will prevent a significantly greater number of
abusive messages without creating delivery issues for valid
messages. For DKIM to succeed, it must not cause delivery problems
or support issues.
-Doug
More information about the ietf-dkim
mailing list