[ietf-dkim] list vs contributor signatures, was Wrong Discussion
dotis at mail-abuse.org
Mon May 10 12:15:40 PDT 2010
On 5/10/10 4:50 PM, John R. Levine wrote:
>>> No, all it says is "we signed this mail." A signer with a good
>>> reputation will presumably rarely sign mail where the From: address
>>> actively misidentifies the sender, but that's a second order effect.
>> Right, and because the domain owner has signed the email, they can be held
>> responsible for abuse. At least, to a greater extent than when the mail
>> hasn't touched any system that they have any control over.
> It is certainly reasonable to say that the signer has a good reputation,
> so we will accept his mail. But that's different from saying that the
> signer has a good reputation, so the From: address must be "real".
For those looking for some hybrid scheme, it should be noted SPF does
not authenticate originating domains. Domain reputation based upon SPF
authorization is prone to exploitation, since many domains share common
servers. Ambiguities caused by shared IP address authorization makes it
impractical to respond effectively by name. In addition,
Authentication-Results headers fail to capture the IP addresses of
servers publicly issuing messages (over port 25) which also impairs IP
address reputation checks of transactions handled by third-parties, such
>>> Once again, this sounds like a solution searching for a problem. I've
>>> done the occasional bozofiltering in mailing lists, but because the
>>> people were bozos, not spammers.
>> The problem is reputation assignment. Different recipients (of mail from the
>> same list) will have different views of the sender's reputation.
>> But, the problem is real, and recognised. Mailing lists break signatures.
> It is certainly a fact that mailing lists break signatures. But there are
> differences of opinion whether it's a problem. Although I've seen plenty
> of assertions that it's a problem, we're a bit thin with real life as
> opposed to hypothetical scenarios where the broken signature leads to bad
> The only one I've seen so far is the ADSP+list -> lost or rejected mail.
> I would say that is misuse of ADSP, not a list problem, since we were
> quite aware of it and in Appendix B of RFC 5617 we say not to do that.
The intended use of restrictive ADSP is to allow domains a means to
limit acceptance of potentially misleading messages. When is it okay
for a trusted entity to permit acceptance of potentially misleading
messages, and wouldn't use of additional domains lead to recipient
confusion and invite more abuse?
Email reputation checks seldom reflect whether some From email addresses
might be misused. Use of DKIM in conjunction with a domain specific
third-party authorization mechanism provides domains an effective means
to better protect their recipients. Lacking a domain specific
third-party authorization scheme makes ADSP unsuitable for most
domains. Abuse is not limited to just transactional messages. Being
limited to transactional messages affords too little coverage to foster
More information about the ietf-dkim