[ietf-dkim] New Issue: Use of XPTR records in SSP

Douglas Otis dotis at mail-abuse.org
Wed Apr 18 10:13:53 PDT 2007 

On Apr 17, 2007, at 8:35 PM, Jim Fenton wrote:
> Douglas Otis wrote:
>>
>> This assumes a simple authorization scheme is not effective at  
>> protecting a principal domain.  For example, if the industry  
>> creates a list of domains used for the purpose of registries, then  
>> this would identify precisely which domain should be queried.  As  
>> there are some TLDs publishing MX records, such a list becomes  
>> even more important from the prospect of limiting the scope of  
>> TLDs with respect to DKIM sub-domain validations.
>
> I'm not clear on specifically who "the industry" is that you're  
> referring to that creates and maintains the list.  It sounds like  
> you're proposing some other kind of non-self-published database  
> that identifies mailing domains.  It doesn't sound like the SSP of  
> which we just completed the last-call of the requirements document.

The DKIM base specification already establishes an expectation of  
there being a general agreement upon what is a TLD domain.  Proper  
use of DKIM must also consider second level domains as well, to avoid  
errant registries publishing DKIM keys for questionable purposes.   
There are already a few publishing seemly broken MX records.

DKIM also depends upon domain reputations, instead of just IP address  
reputations.

Consider how one might wish to implement such a domain reputation query.

With a daily churn of millions of new domains, there can be no prior  
knowledge of who the bad actors are by name.  One would not want a  
cache flooded with the garbage created by spammers using random sub- 
domains.  The query must be required to stop at the principal domain  
to protect a reputation service cache.  The cost of the network  
traffic related to such a service is not cheap, where caches are  
essential.

This form of reputation exploitation is enabled by wildcard MX  
records.  In this respect, the wildcard MX has proven to be a bad  
idea.  Wildcard MX records allow those few with MDAs to process  
domains and local-parts in clever ways, but is that really worth the  
trouble that it creates?  What percentage of email depends upon  
wildcard MX records that can not be easily accommodated with static  
records.

I can inquire as to whether our company would be willing to offer  
this as a service, if this sounds like a good approach.  They do wish  
to support DKIM.  I am sure others would join such an effort.

-Doug

More information about the ietf-dkim mailing list