[ietf-dkim] SSP = FAILURE DETECTION

[Douglas Otis]

On Sep 11, 2006, at 8:04 AM, Thomas A. Fine wrote:

> With SSP, I can only receive mail that looks ALMOST like it is from  
> one of my orgs.  This is huge.  This gives the user layer the  
> ability to quickly, accurately, and precisely differentiate between  
> fake and real messages.  That's what SSP accomplishes.

When a strong email-address policy assertion that disrupts the use of  
common services might block exact spoofs.  SSP does not differentiate  
"real" messages.

> As far as what happens in the user layer, no specification can  
> control that.  We can certainly predict that a significant number  
> of people will still fall for look-alike domains.

An association with a retrained email-address will curtail look-alike  
attacks and clarify which messages are "real."  For this, the signing  
domain must offer an assurance that the email-address is valid as well.

> But this is vastly different than people falling for the exact  
> valid email address they were expecting.

Deploying just this mechanism will likely provide a minor impact upon  
the spoofing success rate.  It may however have a major impact upon  
the delivery rate of valid messages.

> What are we here for if we aren't here to fix that?

To offer a comprehensive solution that offers genuine protection  
without impairing email delivery.

-Doug