esiegel at constantcontact.com
Tue Jan 22 10:40:42 PST 2008
> From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of MH Michael Hammer (5304)
>> From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Hallam-Baker, Phillip
>> There are two questions that you can answer with a DKIM like
> I would phrase the questions slightly differently
>>1) Is there an authentic claim of responsibility from a trustworthy party?
> Can I authenticate a claim of responsibility from a party (that party may
> or may not be trustworthy but I can authenticate they are making the
>>2) Is there an authentic claim of origin from an identified party?
> Is the identified party the originator of the message and can I
> authenticate them as such?
>> A claim of responsibility is not the same as a claim of origin. If all
>> you want to do is to whitelist email for spam control
>> purposes you simply do not care if the signer of the email is the
>> originating party in any sense (author, employer, etc.). The multiple
>> from issues is irrelevant.
>> If you do care about authenticated origin the RFC 822 headers are
>> frankly irrelevant. The only claim(s) of origin you care
>> about are those that are authenticated. If you have multiple From and
>> only one is
>> authenticated then you are only going to tread that one as authenticated
>> for purposes where you require authentication. If all the From addresses
>> are authenticated then you are fine.
> Agreed except that the Sender field should not be used unless it is in the
> same domain as (authenticated) From.
If you have an authentic claim of responsibility from a trustworthy party (as per #1), why should it matter whether that party is represented by the From: header or the Sender: header? And why, if the authenticated party in the Sender: field is trustworthy, should it be required that the From: domain is authenticated directly?
This all seems counter to the idea that reputation is the real differentiator. You seem to be saying that a trustworthy, authenticated signature related to the Sender field is worthless, but any authenticated signature related to the From: field is goodness. Taking that to its logical conclusion, spam signed with a signature based on the bogus From: domain will be rated better than valid mail signed with a well-know, trusted 3rd party signature based on the Sender field.
Using SSP as a backup if your first-level reputation check yields uncertain results is one thing, but claiming that receivers should automatically be invoking it any time that a signature fails to match the originator domain (independently of the trust status of the existing signature) seems like it's potentially creating more problems than it's solving.
More information about the ietf-dkim