[ietf-dkim] list vs contributor signatures, was Wrong Discussion
dotis at mail-abuse.org
Sat May 1 00:07:01 PDT 2010
On 4/30/10 6:45 PM, John R. Levine wrote:
>> I don't think that's what I'm saying. Currently lists don't do much to
>> authenticate senders. I don't think it's implausible that a recipient might
>> have stricter rules than a list manager. It might be unusual, I suppose.
> I agree it's hypothetically possible, but have you ever seen an actual
> need for this in practice, a list where the recipients filter out messages
> that a more competently managed list would have rejected?
Efforts at protecting recipients with ADSP "all" or "discard-able"
conflict with the message handling of properly run mailing-lists.
Mailing-list handling does not need to change, even those that remove
DKIM signatures. With minor efforts, a transitional strategy that
introduces sender authorization offers exceptions needed for "all" and
"discard-able" conflicts. The enhanced protection these policies
afford is critical for financial institutions, whether for corporate or
transactions messages. Better source authentication is also
increasingly needed to thwart a growing number of social engineering
ploys, and to properly identify compromised accounts. When
mailing-lists include A-R headers, these can be audited by the sender.
The sender's authorization then enables them to protect their
authentication from otherwise trivial spoofing and to guard against
More information about the ietf-dkim