[ietf-dkim] SSP = FAILURE DETECTION
dotis at mail-abuse.org
Tue Sep 12 10:21:17 PDT 2006
On Sep 12, 2006, at 9:41 AM, Thomas A. Fine wrote:
> Without SSP, users have two opportunities for making mistakes in
> verifying their mail. They can fail to notice that it is unsigned,
> or they can fail to notice that it is from a wrong domain.
SSP that blocks unsigned messages still offers a large opportunity to
get this wrong. Phish commonly avoid using the exact domain to avoid
being filtered. You are assuming visual examination of a domain is a
reliable, but it is not. There are still too many being fooled to
curtail this criminal activity. The majority of users only see the
Display name without additional clicks. We are also entering an era
where it is also likely that the character repertoire being used is
> With SSP, users only have to look for the wrong domain, because
> they should never see the unsigned mail.
Unsigned email might be block unless the email-address domain wants
access to common services, or wants reliable delivery, or the
verifying domain does not block based upon this policy. Will this
blocking strategy lead to legal obligations of blocking these messages?
> Maybe someone who's an expert in human factors can relate this to
> statistical decrease in errors by the user. My feeling is that the
> less a user has to worry about, the more likely they are going to
> successfully examine their message and determine it's origin.
Provide the user a strong trustworthy annotation that:
a) the email-address within the message matches the one in their
b) and that this email-address has been asserted valid with DKIM.
This strategy does not require providers to block any message,
grandma to get out her magnifying glass, or junior to reconfigure
grandma's the client to use 14 point font, not display translated ACE
labels or display names and to post next to her display terminal the
exact spelling of her important transactional email domains.
More information about the ietf-dkim