[ietf-dkim] Accidental versus malicous error (was: SSP assist DKIM)

[Douglas Otis]

On Dec 19, 2007, at 10:06 AM, Damon wrote:

> As an operations person, I imagine that I would have a type of  
> double-check. I certainly would be monitoring how many good  
> signatures that I would be getting from sources that sign. If  
> suddenly my average good sign for a particular site went down and my  
> average bad sign went up, it would cause me to take notice and have  
> a look.

In other words, you would pay attention to bogus DKIM signatures that  
are wasting resources and perhaps representing an excess of spam.   
Wouldn't you then also pay attention to which SMTP clients gave you  
the highest number of invalid DKIM signatures?  Would your filter give  
credit to a message for including an invalid signature?

Once SMTP clients find they might be blocked for having issued too  
many invalid DKIM signatures, they might remove invalid DKIM  
signatures beforehand.  Although this is in conflict with the base  
specification, at least this measure ensures SMTP clients are not  
associated with bad behaviours related to bogus DKIM signatures.

If, or when, DKIM signature hygiene does becomes a common practice, as  
perhaps it should, then any invalid DKIM signature would be fairly  
indicative of either older systems already listed as being DKIM  
unfriendly, or newer and perhaps questionable systems behaving badly.   
Weighing an invalid DKIM signature as 'implying' a message is likely  
to have originated from some domain invites bad behaviour that wastes  
valuable resources.   Although an invalid signature should be  
considered equal to no signature (as also specified in the base  
specification), from the responses on this list, expect many will bet  
on initial statistics and get this wrong.  This does not bode well,  
and could represent a sizeable loss of receiver resources.

-Doug