[ietf-dkim] Re: 1: 1 and assertions about third parties
hsantos at santronics.com
Thu Jan 17 21:27:15 PST 2008
John L wrote:
>>> My expectation is that a large majority of domains that would publish
>>> strict SSP policies would be small mail systems with no more forgery
>>> problems than anyone else, but an exaggerated idea of their own
>> I'm sorry, but is it just your peevishness about their perceived
>> self-importance? What difference does it make if they aren't as
>> important as they think they are? How is that negatively affecting
> My understanding is that the point of publishing SSP is to help mail
> recipients filter their mail better, where the only useful meaning of
> better is that it makes the recipient users happier.
Well, that applies to any filtering concept in general - hence the term
To me, SSP is related to the DKIM-BASE "promotion" for a new level of
operations and expectations.
The DKIM-BASE presumption is such that all mail is going to be signed or
not signed and that the receiver should make new assertions about the
valid DKIM-BASE signed mail.
The problem is two folds:
- Was it authorized (signed) by the right person?
- Was it REALLY not signed (as opposed to failed) at all?
The idea that a receiver should just apply special DKIM considerations
to valid signed mail and ignore the "Same Considerations" when they are
not signed, just accept it as it was legacy stuff, is unacceptable in my
This can only only be resolved by what is expected by the "domain
owner." That expectation has to come from somewhere.
In my opinion, it boils down to:
a) Some believe that come from a non-standard TRUST service
(another form of SSP, but limited only to those who are
members of the TRUST server).
b) A "batteries not required" industry standard SSP approach
which allows the DOMAIN itself to define the expectation.
The first methods can offer both merged "POLICY" and "REPUTATION" logic.
The latter is simply about DKIM-BASE protocol consistency. In lieu of a
white/black list, no reputation is considered. Everyone is viewed the
The first has limited effectiveness since it is secluded to member
records only and it has NO logic for unsigned mail signatures. This
will not allow receivers to cover DKIM across the board. i.e, it doesn't
address the legacy market - where the majority of abuse is located.
The latter has the potential to be vastly effective since no special 3rd
party membership is required and MOST of the abuse occurs when they is
protocol inconsistency. This will allow receivers to cover DKIM across
Hector Santos, CTO
More information about the ietf-dkim