[ietf-dkim] Blocking improperly signed messages

Douglas Otis dotis at mail-abuse.org
Mon Dec 11 11:22:05 PST 2006 

On Dec 12, 2006, at 2:06 AM, Hector Santos wrote:

> The fact of the matter is you are directly competing and blowing  
> against the wind with the every growing MTA trend of REDUCING  
> unsolicited abusive mail and spam BEFORE it gets to the user.   
> Whether you like it or not, its a reality both technically and  
> every more growing in the legal world. Its happening. So get use to  
> it.

DKIM might be used for white-listing (assuming the SMTP client can be  
associated with the signing-domain).  White-listing does not get rid  
of abusive mail, it trades off other measures that might be more  
costly in terms of integrity or overhead.

DKIM however can never reduce the level of abuse through the  
application of a restrictive policy.  DKIM can reduce the level of  
abuse by making spoofing unsuccessful.  There are millions of new  
domains created every day at no cost to the bad actor.  Neither SPF  
or DKIM identify new sources based upon some restrictive policy.  A  
restrictive policy adds little, if any anti-spoofing protection when  
the recipient must still visual recognize the originator based upon  
what they see.  Authentication and recognition is where progress is  
made, often by intelligent filtering at this point that is not based  
upon a policy record.  DKIM in conjunction with a recognition scheme  
provides reasonable protections without any policy record being  
used.  The policy record requirements should instead focus on  
ensuring a larger portion of email can be recognized without complex  
three-party administration, as now envisioned.  Focus upon enabling a  
greater use of DKIM+Recognition+Annotation.

> So either DKIM-BASE is going to be part of the solution or its not,  
> at the very least, my INPUT says that SSP will give it a fighting  
> chance and in all honestly, will help people, as yourself, in your  
> market who have a direct interest in seeing users' make the final  
> decision of all messages.

With a recognition scheme that adds annotation on messages found in  
their address-book or on a DAC compatible list, this will help people  
by providing the desired protections.  A restrictive scheme takes  
away freedoms without little protective benefit, but at a loss of  
email integrity.

-Doug

More information about the ietf-dkim mailing list