[ietf-dkim] The scope of policy applicability and general adoption

Douglas Otis dotis at mail-abuse.org
Mon Aug 28 11:34:59 PDT 2006 

Sorry Stephen, I'll try to be clearer.  When stepping back, perhaps  
one should also question whether a policy record is the best solution.

A Policy that can indicate only a solitary state of the 2822.From  
being within the signing-domain will be problematic.  There are  
legitimate causes for a once compliant message to later become non- 
compliant.  When policy can only reflect adoption of this solitary  
provision, non-compliant messages are more likely rejected or placed  
into the never read spam folder.  The prevalence of delivery related  
problems may lead to a general assumption that this policy is only  
suitable for dire situations, such as being the subject of a phishing  
attack.  This solitary state therefore represents a significant step- 
function in non-complaint messages being acceptable, to not being  
acceptable.  This step-function is also likely to become steeper or  
more severe over time.

When a solitary state policy ends up providing benefit to an  
extremely narrow scope of domains, the overhead searching label-trees  
for a policy intent on blocking non-compliant messages may actually  
discourage its adoption.  There is little incentive to publish a  
policy that does not alter the assumed default.  Look-alike domains  
being able to thwart even the most severe handling based upon this  
policy.  This raises the general question whether all emails should  
invoke a search for a narrowly applicable policy found somewhere in  
the DNS hierarchy.  It would be better to adopt a solution that  
limits the number of queries to one.  In addition, it would be better  
to adopt a solution that also thwarts look-alike exploits.

There are two possible solutions:

  - A repository of domain names that desire the severe
    handling of non-complaint messages.

  - An annotation scheme based upon the presences of the
    2822.From address being found in the Address book.

Both of these strategies can be done in parallel.  Neither scheme  
requires a DKIM specific policy.  The only essential element needed  
to secure annotations based upon 2822.From address would be for  
signature semantics to clearly indicate whether the signing domain  
assures the validity of this address.

The repository of domain names could be a zone dedicated to this use  
under the DKIM.ORG zone, for example.  This zone could return a  
record indicating that the domain being queried has requested the  
severe handling of non-compliant messages, or whether this domain has  
been used in criminal fraud as reported by various enforcement agencies.

Both of these solutions do not need policy, and both can thwart a  
look-alike attack.

-Doug

More information about the ietf-dkim mailing list