[ietf-dkim] "I sign everything" yes/no

[J.D. Falk]

Imagine, if you will, that I'm a big ISP with lots and lots and lots of 
consumer type end users who prefer to stay clueless about the 
intricacies of e-mail.

A message comes in which claims to be from the First Amalgamated Bank of 
Example.  An entirely separate, unrelated mechanism has already told me 
that example.com really is the domain name used by the First Amalgamated 
Bank of Example, and that they're a real bank with tellers and vaults 
and bulletproof glass and all that fun stuff.

But this message isn't signed (and/or the signature is invalid, which 
base says is the same thing.)  How do I find out whether or not the 
First Amalgamated Bank of Example thinks that they sign all of their 
messages?  That should be a simple, binary operation, right?  I really 
don't care about anything else the sender may want to assert.

Should that be in SSP?  Should it be in something else?  Should I 
encourage all of the banks to use a non-standardized external mechanism 
while y'all argue?

-- 
J.D. Falk, Anti-Spam Product Manager
Yahoo! Product Platform Group