[ietf-dkim] Some concerns with SSP impact on very small businesses

[Siegel, Ellen]

> -----Original Message-----
> From: Jim Fenton [mailto:fenton at cisco.com]
> Sent: Tuesday, January 08, 2008 11:14 PM
> To: Siegel, Ellen
> Cc: ietf-dkim at mipassoc.org
> Subject: Re: [ietf-dkim] Some concerns with SSP impact on very small
> businesses
> 
> Siegel, Ellen wrote:
> >
> > With SSP in play, once the ISP (e.g. yahoo.com) decides to publish
an
> > SSP record things start to go downhill. The above configuration will
> > always trigger a lookup since the signature will never come from the
ISP
> > domain, and the Verifier will only look for the SSP policy in the
From:
> > address domain (yahoo.com). Since it's unlikely that any third party
> > signature used by outsource.com on behalf of their customers
(whether
> > it's outsource.com directly, or unique signatures per-customer) will
be
> > included in the list of Verifier Acceptable Third Party signatures
at a
> > given Verifier, a record with either dkim=all or dkim=strict will
cause
> > the joesbikeshop email to be consistently labeled as suspicious even
> > though it is authenticated and even though the address belongs to
the
> > author of the email.
> >
> 
> The premise here is that a consumer ISP such as yahoo.com is going
> publish an 'all' or 'strict' SSP record.  I am not aware of any
consumer
> ISP that, as part of its Terms of Use, requires its customers to send
> outgoing mail through its mail servers.  There might be some that have
> this requirement in order to do more effective outbound spam
filtering,
> but I'm not aware of them.  In the absence of such a requirement, it
> would be improper for these ISPs to publish an 'all' or 'strict' SSP,
as
> that would be, in effect, imposing a restriction that wasn't there.
> Customers sending mail using their personal addresses through their
> company's mail infrastructure, or from a hotel that blocks port 25,
> would have the same problem.
> 
> Hopefully the consumer ISPs will recognize this.  We need to make
every
> effort to make everyone know that publishing 'all' or (particularly)
> 'strict' is not something that is done lightly.  I know of tools that
> are under development to help domain owners know from where mail from
> their domains is being sent, and hopefully this will raise awareness
> too.  I expect that it will be a small but economically significant
> proportion of domains that will ever be able to publish anything other
> than 'unknown'.

I hope you're right, and encourage you to drive this point with the
ISPs. It would also be interesting to get some direct feedback from them
on this point- it would be useful to have some data. ISPs tend to have
concerns with abusive use of their email addresses just as many other
large brands do, so I would tend to expect them to push for at least
dkim=all publication. If it is in fact reasonable to expect that ISPs
will tend to stick to 'unknown', then the impact on these small senders
should be relatively minor. 

Ellen