[ietf-dkim] Re: "I sign everything" yes/no
dotis at mail-abuse.org
Fri Nov 24 01:58:27 PST 2006
On Thu, 2006-11-23 at 21:18 -0500, Hector Santos wrote:
> > DKIM will never be effective at blocking spam. Spoofing can only be
> > stopped by comparisons with lists established by recipients, such as
> > utilizing their address-book.
> I totally disagree and I don't see that is required for us to consider
> implementing DKIM into our system. A MUA is not required to protect a
> DOMAIN who has published an SSP with its policy define telling a
> RECEIVER what is expected and not expected.
What is meant by an "all From email-addresses are signed" policy
assertion? Does this mean "Reject or drop messages sent to a
mailing-list."? If so, what percentage of domains wish to make this
How are EAI headers protected? What must recipients see before an
assertion of signature expectation offers effective protections for
either recipients or the email-address domain owners? This question is
largely pointless. There is no way to know what recipients can see.
If the recipient sees a display name or the UTF-8 version of the From
header, what protection is provided by an assertion applying to
different domain? None. Many phishing attempts already utilize altered
email-addresses. Look-alike or cousin domain attempts are unaffected by
assertions of what is signed.
Annotations based upon signed messages also found in the recipient's
address-book thwarts these various phishing attempts. Protection is
obtained without recipients needing to take out their magnifying glass
or make often fruitless queries. At what point does it become clear
self authorization schemes are pointless in both excessive traffic and
easily defeated protections.
Causing phishing attempts to be unsuccessful is the best way to quell
this traffic. On the other hand, an authorization scheme will likely
improve phishing success rates. It is possible for plug-ins to be
implemented with existing MUAs. It is being done now, so the MTA vendor
don't need to change what they are doing.
More information about the ietf-dkim