[ietf-dkim] draft Errata on RFC 4871
Douglas Otis
dotis at mail-abuse.org
Fri Jan 30 10:45:28 PST 2009
On Jan 30, 2009, at 8:37 AM, Suresh Ramasubramanian wrote:
> On Fri, Jan 30, 2009 at 9:41 PM, Jeff Macdonald <jmacdonald at e-dialog.com
> > wrote:
>> On Thu, Jan 29, 2009 at 04:14:02PM -0500, MH Michael Hammer (5304)
>> wrote:
>>
>>> Signer does not necessarily have to equal sender for DKIM base.
>>> This is one of the reasons I tend to fall into the "d=" camp.
>>
>> Don't forget i= is also in control of the signer too. An author/
>> sender does not control it.
>
> Which would kind of make it redundant?
No. The i= parameter allows the signer to establish an identity that
they have verified in some manner.
A domain has a few choices as to how this i= value might be used:
1) Have it match the originating email-address whenever this email-
address represents who the signer verified.
2) Not include the i= value and prevent finer grain assessments.
3) Have the i= represent an opaque attribute that represents who the
signer verified.
Large domains will almost always have some small percentage of
problematic accounts. If the d= parameter becomes a significant basis
for acceptance, then replay abuse will need to be controlled.
A reputation service will provide little value when replay abuse
prevents reliance on the DKIM domain for the majority of email being
handled.
To rescue the service, the reputation of a DKIM domain might be Good /
Check-I / Bad
A secondary check of the i= reputation for problematic domains would
help mitigate an otherwise uncontrolled amount of abuse. Path
registration represents the only other alternative.
-Doug
More information about the ietf-dkim
mailing list