[ietf-dkim] brand protection, was Is anyone using ADSP?
iane at sussex.ac.uk
Wed Oct 14 04:09:11 PDT 2009
--On 13 October 2009 23:07:58 +0000 John Levine <johnl at iecc.com> wrote:
> This is really much simpler than you're making it out to be.
>> I understand the issue here, but part of the point of DKIM/ADSP is to
>> allow automated systems to assign reputation to an email domain or
>> email address - a byte string.
> For DKIM, that's basically right, it ties a domain to a mail stream so
> receivers can assign a reputation to the mail stream. For ADSP that's
> completely wrong, all it does is allow senders to make assertions that
> receivers may or may not find credible or useful, but that have
> nothing at all to do with managing the mail stream's reputation.
> (Remember that ADSP only applies to mail not in the signed mail
OK. What ADSP adds is the ability to assign reputation to a specific email
claiming to originate from a specific domain. Except for "unknown".
>> It might be nice if paypal could publish in the DNS a set of related
>> domains, that it is willing to share the reputation of paypay.com
> Why would they do that?
For brand reputation protection - you've cut the relevant quote that I was
responding to. It's not really a DKIM issue, but if I get email from
paypal.co.uk, then how do I determine whether that email is from paypal?
Nothing in the paypal.com ADSP records tells me anything about that domain.
I don't know whether to expect email from it. The absence of DKIM and ADSP
records tells me nothing.
My idea is that a company might publish an exhaustive list of domains that
they use, so that I can automatically detect domains that may be attempts
to defraud recipients. I'd probably only apply this to high value domains,
but the algorithm would look like this: "if the domain is similar to, but
different from PAYPAL.COM, then bump up the spamassassin score". After all,
that's what we hope that users will be doing when reading messages.
> Remember that DKIM is not SPF nor Sender-ID,
> and you can put your domain's signature on any mail you send. Paypal
> signs their mail with paypal.com. If I send you a Paypal payment,
> they will send you a mail with my return address announcing the
> payment. That message is signed with d=paypal.com because Paypal
> takes responsibility. (They really do this, I just tried it.)
They use a third party return-path? Presumably not, with the implications
for domains that publish spf -all records. Or you mean some message header?
The From: header? That would have ADSP implications.
>> Positive reputation could flow from paypal.com to the shared domains,
>> and negative reputation in the reverse direction.
> Positive reputation flows from paypal.com to the mail they sign. If you
> think they need a lot of signing domains, you're misunderstanding the
> way that DKIM works.
Actually, that isn't something that occurred to me, but it's useful to
IT Services, University of Sussex
For new support requests, see http://www.sussex.ac.uk/its/help/
More information about the ietf-dkim