[ietf-dkim] Domain Existence Check and Erroneous Abstract
dotis at mail-abuse.org
Thu Jun 5 11:41:34 PDT 2008
On Jun 5, 2008, at 4:23 AM, Charles Lindsey wrote:
> On Wed, 04 Jun 2008 18:46:18 +0100, Douglas Otis <dotis at mail-
>> This touches a significant issue. The rfc2822.From fields may
>> contain addresses that will _not_ resolve any DNS resource records
>> for protocols other than SMTP. For example, Microsoft Exchange was
>> initially based upon X.400 recommendations in the 1980s by the
>> Consultative Committee of International Telephone and Telegraph
>> (CCITT), now known as Telecommunications Standardization Sector of
>> the International Telecommunication Union (ITU-T). As a result,
>> use of X.400 addresses means it is fairly common to find email-
>> address domains that do not exist whatsoever within DNS. An
>> NXDOMAIN result with respect to an X.400 MS Exchange email-address
>> is completely meaningless.
> Then please could you provide us with a full example that could
> actually happen, starting from an X.400 email that somehow got
> tranformed into an RFC 2822 object that contained unresolvable
> domains, and which yet managed to acquire a DKIM signature (not
> necessarily by anything in the From header) and was also capable of
> being replied to by its recipient.
> If such a beast can exist, then we need to take note of it, but i am
> not aware that it could exist.
Many companies use MS Exchange rather than normal SMTP servers. MS
Exchange permits creation of mail addresses unreachable by SMTP, since
these domains may only exist through an internal X.400 assignment.
While some companies find this a desirable feature, it is often a PITA
for users of this service. While a parent domain may wish to assert
ADSP practices, MS Exchange related email sub-domains can be created
for various purposes without publishing _any_ record within DNS. The
MUA will therefore receive a mixture of SMTP and MS Exchange messages,
but this would only create a problem with specific domains for users
of the MS Exchange service.
One common solution is to forward out of MS Exchange to an SMTP
server, but where the "special" sub-domains within the company's email
are then unable to receive an SMTP response. In my case, there are
also many parent domains within various TLDs to examine as well.
Asking how these messages receive a DKIM signature misses the point.
There would be little value using DKIM for messages normally
restricted to a corporate MS Exchange.
ADSP should be defined as offering practices for SMTP, and not MS
Exchange, Lotus Notes, NNTP, etc. Protocol gateways will be impaired
by an application of ADSP that preclude acceptance from domains not
supporting SMTP. When an Author Domain asserts even a CLOSED
practice, a protocol gateway problem can not be mitigated by only
testing for NXDOMAIN when a bridged protocol has not implemented
DKIM. Receiving messages from protocols other than SMTP requires
exceptions be made when applying ADSP. In any case, ADSP can not be
universally applied at the MUA.
More information about the ietf-dkim