[ietf-dkim] General Feedback loop using DKIM
dhc at dcrocker.net
Thu May 28 08:13:36 PDT 2009
Michael Adkins wrote:
>> Req. #3 requires some sort of assessment mechanism, such as a third-party
> There are two questions that you have to answer before you send a
> report. One is where to send it. How to answer that question is a good
> candidate for standardization I think. The other is whether you should
> send it or not. This is a much stickier question as the policies for
> existing FBLs vary widely and there is scant little consensus. On the
> one end you have folks like Outblaze who require a strong whitelist
> status for the sender in order to receive reports. On the other you have
> AOL who will send reports to anyone who can display a reasonable amount
> of authority for the domain (access to the postmaster@ mailbox for a
> confirmation, for example). These differences are due to policies based
> around everything from filtering strategy to legal requirements and
> there is little motivation to converge. As such, I find this part to be
> a poor candidate for standardization, beyond addressing the bare minimum
> authority requirements. If there is a strong desire to do so, that's
> fine, but please keep it separate from the 'where to send it' question.
I think the "whether" question divides into to parts.
The first is authority for receiving reports. This is more than just being told
where to send reports; it satisfies the requirement to determine that the
directive for where to send reports comes from an authority to make that
request. So, is the "where" a valid request?
The second is whether the reporting agency wants to honor that valid request.
That's the role of the assessment mechanism. You cite Outblaze, which requires
a strong assessment, and you cite AOL which effectively requires none -- it will
send a report to anyone asking for it and authorized to do so. I can't think of
any reason that is or should be inherent to this mechanism for constraining the
assessment step -- the Outblaze and the AOL policies both ought to be acceptable.
In the summary, I tried to wave my hand about what assessment step might be
performed. I think you've demonstrated why it's important NOT to specify very
much about it. But I don't think you've highlighted any error or problem with
this part of the summary. (In contrast with the corrections you supplied for
other parts of the summary.)
>> I guess my question is why this doesn't come for free, when honest-to-goodness
>> operator-oriented domain name white lists gain traction? Such lists are the
>> real goal of doing /any/ DKIM signing. So once you have sending operatos
>> signing with DKIM and an array of assessment mechanisms used DKIM-verified
>> domain names, why can their use be easily extended to this type of FBL?
> They can if the whitelists requirements comply with your FBL policy. So,
> you are correct in that eventually we should get it for free. This is a
> good argument for leaving the 'should I send it' question separate from
> 'where to send it'.
and, to be complete, the "is the specification for where to send it valid?"
More information about the ietf-dkim