[ietf-dkim] user level ssp
wietse at porcupine.org
Sat Sep 9 07:09:03 PDT 2006
> 1) I always sign, but I also know that I send email through relays that
> will break the signature.
This is an assertion about the sender. As such, it is valid within
the context of a sender signing policy.
> 1) I always sign, but I also know that I send email through relays
> that will break the signature. If you, as a receiver, reject
> legitimate email due to broken/missing signatures, it is your fault
> and I'll place the blame on you.
This is an assertion about recipient actions and their consequences.
There is a mistaken perception that that senders have control over
how recipients handle email (whether spoofed or not). A sensible
sender signing policy is limited to assertions about sender actions.
For amusement value, below is my take on some signing policies:
after the first two, everything is either redundant, invalid, or
0 - No policy (status quo).
1 - All mail from this domain is signed (valid).
2 - Some mail from this domain is signed (equivalent to ).
3 - This domain sends no mail (effectively equivalent to ).
4 - No-one else can sign my mail (invalid, it attempts to control
recipient behavior where the recipient is, for example, a
mailing list, or a user at a DKIM-signing ISP who bounces an
email message to another site).
5 - Mail from this domain is never signed (inconsistent, it implies
that a valid signature is invalid; and invalid, as per ).
More information about the ietf-dkim