[ietf-dkim] A more fundamental SSP axiom
wayne at schlitt.net
Fri Aug 4 13:54:37 PDT 2006
In <44D36203.2060803 at mtcc.com> Michael Thomas <mike at mtcc.com> writes:
> Part of the problem here is the past record of SPF with over-zealous
> 550 if there's any hint of bogosity. We, for example, would be
> forced to take down a "we sign everything" policy if that were to
> happen with DKIM -- even though we'll be signing everything pretty
Based on the past record with SPF, is the any reason to believe that,
people won't treat "I sign some email" as the same as "I sign all
email" and reject email that does not have a valid first party
signature? There are certainly lots of people who treat publishing
SPF records that end in NEUTRAL more harshly than not publishing SPF
records at all and this has caused at least one major ISP to remove
their SPF records.
(Yes, this is assuming DKIM reaches the same level of deployment that
SPF had back in early 2003. There isn't much danger right now.)
> If there were a qualifier in the "I sign everything policy"
> that specifically implies that sending a 550 based on a missing DKIM
> signature alone is extremely bone-headed" then maybe we can both.
This is somewhat along the lines of SPF's SOFTFAIL. You will find
some people who reject based solely on seeing a SOFTFAIL and you will
find others claiming that SOFTFAIL is functionally equivalent to
> The current SSP has o=! t=y which could in a tortured way be
> construed to have that semantic: "I sign everything, but hey I'm
> testing so take it for what it's worth". If we have something more
> formalized, them maybe we can accommodate these two pretty different
Expect people to ignore the t=y flag also.
Really, anyone who thinks that signing email with DKIM (or DK or IIM)
will not directly cause some of your valid, non-spam, email to be
rejected is fooling themselves. Receivers are free to do whatever
they want with their servers, including extremely bone-head things.
Personally, I think there is some value in distinguishing between "I
sign everything and never send to mailing lists and other know
mungers", "I sign everything, but also send to known mungers", and "I
know I don't sign everything".
More information about the ietf-dkim