[ietf-dkim] DKIM and VBR tester available
dotis at mail-abuse.org
Wed Oct 11 02:17:09 PDT 2006
On Tue, 2006-10-10 at 21:39 -0400, Hector Santos wrote:
> 2 plus years hammering out IETF public standard specs for DKIM and we
> now we get proprietary non-standard non-IETF workgroup half baked ideas?
> Why didn't you at least write an IETF draft? and try to get a working
> group going? Come on. Waste people's time with this stuff. Who says
> this VBR thing works? You? Where is the Threat Analysis and
> engineering behind it?
There is still work required. There is no simple way to differentiate
replay abuse caused by a competitor from abuse caused by the domain
being vouched. That is unless the signing domain can be associated with
the SMTP Client. The DOSP draft provides an approach that helps solve
Those attempting to vouch for a domain will need to establish procedures
and requirements. The requirements will likely mean this approach is
limited to bulk senders where SMTP Client association does not represent
a significant problem.
While VBR states that this scheme does not affect Sender-ID, the reverse
is not true. Sender-ID represents a very serious threat to DNS, and
MUST NOT be used to associate a signing domain with that of the SMTP
When trust is established by the recipient, rather than by some vouching
service, there is still a need to understand which messages should be
trusted based upon just the domain, and which email-addresses are valid.
Again DOSP helps solve those issues as well, along with allowing the
designation of signing domains. Designation does not alter how VBR
works, as VBR is based upon the signing domains. Designated sub-domains
can be established for individual customers or types of use.
More information about the ietf-dkim