[ietf-dkim] user level ssp
johnl at iecc.com
Thu Sep 7 11:11:27 PDT 2006
>Whereas, "I sign no mail" means that it ALL has to go through a
>traditional spam filter. One could make an argument that such a
>policy would mean that any SIGNED mail from this domain can be
>immediately dropped as invalid.
Nope. If you get signed mail, that means the domain has published a
signing key. If the SSP says "I sign no mail", then the domain is
denying the existence of its own signing key. The only thing we can
conclude is that the person who runs that domain's DNS isn't very good
>And "I sign all mail" means that unsigned mail can be instantly
Yes, if you believe it. As has been exhaustively argued here before,
there are lots of plausible ways that a legitimate message could
arrive with a broken or missing signature, with mailing lists being
the horse that has been beaten the hardest. We also know from SPF
that if you believe -all, you'll lose a lot of valid mail.
One possibility would be to drop all unsigned mail, tough noogies. Or
you do your whitelisting first to catch the lists and other known
friendly forwarders that sign their mail, and then do SSP after that.
Or something. These are all paper designs, so nobody has any idea how
much if any of SSP will be useful in practice.
More information about the ietf-dkim