[ietf-dkim] Change to Section 6
dotis at mail-abuse.org
Tue Jan 23 10:36:26 PST 2007
On Jan 23, 2007, at 8:50 AM, Hector Santos wrote:
> Douglas Otis wrote:
>> On Tue, 2007-01-23 at 10:07 -0500, Bill.Oxley at cox.com wrote:
>>> Authoritative statements made by a DKIM aware MUA is a good
>>> thing. However from an ISP perspective I would not depend on an
>>> end user to have a DKIM aware MUA but will verify and do Policy
>>> silently at my edge MTA devices. Any mail that makes it past
>>> there can still be acted upon by the MUA.
>> There are millions of new domains added and removed every day.
> And if true, any given average node only sees 0.001% of them if that.
How is this relevant? New domains are often exploited before a
registry can compile and transfer what has changed. For ".com" there
might be a 12 hour lag in noting the millions of new domains, which
is a short interval compared to some TLDs.
>> Should the MTA verify DKIM signatures before applying filters?
> Thats out of your control.
Verifying DKIM signatures after applying filters informs bad actors
what has slipped through. Unless a valid signature permits the
filter to be bypassed, there is little value validating a signature
afterwards. Verifying all signatures ahead of filters will increase
require resources. Verifying all DKIM signatures adds cost and opens
the door to DDoS concerns without tangible benefit. When the MTA
will bypass spam or phishing filters based upon specific signatures,
these are the only signatures logically that should be validated.
The MUA can also be highly selective by only validating signatures
trusted by the recipient. Such a strategy reduces resources demanded
by DKIM deployment, and will not leak critical processing information
to bad actors.
>> Don't forget about Display-Name only, clever use of UTF-8, cousin
>> domains, and obfuscations making it appear as though the email-
>> address is displayed.
> So if the MTA can't handle it, we'll pass you that junk so you can
> deal with it. A six pack your MUA can't deal with it neither!
There should not be any expectation that all signatures have been
verified. Logically only those signatures that might rescue a
message from being rejected should be checked. This checking should
be selective and happen ahead of other filtering. Essentially this
means that not all signatures should be checked.
There are millions more MUAs than there are MTAs. This may suggest
which MTA versus MUA effort might be better at scaling. How about a
bottle of Cabernet versus your six-pack? : )
More information about the ietf-dkim