[ietf-dkim] Signalling DKIM support before DATA
ietf-dkim at kitterman.com
Tue Aug 8 11:43:25 PDT 2006
On Tuesday 08 August 2006 14:30, J.D. Falk wrote:
> On 2006-08-08 10:31, Scott Kitterman wrote:
> > If there is a reasonable way to do it, it might be useful for receivers
> > to be able to get a hint before going to DATA if the message is going to
> > be DKIM signed. I can envision looking for such a hint when evaluating a
> > message from an IP address listed in an RBL and perhaps going to DATA to
> > look for the promised signature.
> This would break on forwarding -- so the positive ("yes, I signed this
> message") is good, but the negative ("no, I don't sign") can't be
> trusted without knowing a whole lot more about the sending site's
> technical configuration and/or business practices.
> Plus, spammers could easily start using this same technique to try to
> bypass envelope security in hopes of then fooling DATA filters.
> > I can see some potential for this to make signing more attractive to
> > small senders who are more likely to be blocked due to RBLs. It may be
> > attractive to receivers as a way to reduce false positives from spam
> > filtering techniques used on the envelope.
> Sounds like false hope to me; as a big receiver, I can't imagine that
> I'd ever want to blindly trust assertions made by an unknown sender.
As both you and John L point out, this is a big issue. That's why I was
thinking about it being something in DNS related to the policy record so that
it would be at least slightly harder to lie about it. It's also why I
started with IF... I recognized that if it can be trivially spoofed, then
there's no reason to do it.
More information about the ietf-dkim