[ietf-dkim] SSP = FAILURE DETECTION
dotis at mail-abuse.org
Fri Sep 8 17:29:40 PDT 2006
On Sep 8, 2006, at 1:59 PM, Hector Santos wrote:
> Are you expecting them to be DKIM-READY to display this information
Unless the MDA modifies the message, DKIM can be verified at the MUA
or even the web client for that matter. DKIM working in conjunction
with MUA annotations provides for many of the human factors needed
to thwart much of the fraud. Look-alike attacks should prove far
less successful, for example.
> If so, why should the MTA even bother to do DKIM-PROCESS and just
> let the offline MUA do the DKIM processing?
One advantage would be an ability to safely bypass filters for bulk
senders where prior arrangements have been made. The other might be
to reduce a filter's false positive rate, minimize defanging
operations, and improve abuse reporting.
> The bottom line is that you still need to "FILTER" something at
> some level even if you don't use SSP at the MTA and I can assure
> you that without SSP, I am less willing to assume product liability
> issues by wasting time doing a ACCOUNTABILITY check at the MTA that
> has no payoff of eliminating mail.
The "bottom line" could be annotations applied that benefit the
recipient without filtering beyond what is normally done already.
DKIM should improve the performance of this filtering process as
well. A reduction in spam might be expected by reducing the revenue
sustained by successful fraud in the way of identity thief, and the
introduction of malware. Of course, it might also mean bad actors
redouble their efforts. The real "bottom line" is that DKIM can not
prevent spam. Contrary to Dave's opinion, when DKIM is coupled with
an intelligent MUA, it should reduce the success rate for much of the
fraud, and improve the open rates for valid messages.
To support an intelligent MUA, only email-addresses "assured" valid
are safely annotated. The percentage of email-addresses protected by
DKIM can be improved through the use of policy records by:
- extending a signing domain's ability to assure the validity of an
- limiting assurances to selected email-addresses, when annotation
are based upon a trusted-domain list.
More information about the ietf-dkim