[ietf-dkim] New Version Notification for draft-levine-dbr-00(fwd)

Steve Atkins steve at wordtothewise.com
Thu Jun 24 08:43:08 PDT 2010 

On Jun 24, 2010, at 8:21 AM, Michael Thomas wrote:

> On 06/24/2010 07:49 AM, John Levine wrote:
>  Are you making the assumption that all third party lists would be equally
>> credible?  That's no more likely than all DNSBLs being equally credible.
>> 
>> In both cases, the good ones will make sure their data is correct,
>> maybe by backchannels to the underying providers (see the Spamhaus PBL
>> for an example of that) or by some kind of feedback watching the mail
>> they make assertions about.  The bad ones won't do that, and won't be
>> useful.  (See any number of useless poorly run DNSBLs for an example
>> of that.)
> 
> Any service that doesn't have an *explicit* guarantee from the mail
> domain itself that it signs all mail is worse than incompetent,
> it's harmful. A third party can *never* prove the negative that the
> domain in question doesn't have sources of unsigned mail that they
> don't want discarded. The domain in question without a thourough
> audit probably doesn't have a clue itself if it's even vaguely
> largeish.
> 
> So why does a domain that performs that painful audit and
> remediation need to then tell John's drop list that it's OK to
> drop unsigned mail? It doesn't. It can just publish an ADSP
> record and be done with it. No need to count on some unreliable,
> unaccountable point of failure to mediate their business.

The problem is that it's not possible to distinguish based solely on
self-published data the domain that's done all that work, and actually
understands the implications from the domain that's just published
an ADSP record because they'd heard it was a good idea, with no
understanding of the effect that would have on their email.

Even paypal, who are one of the main forces driving ADSP, didn't
think through the most basic implications, and caused a lot of
legitimate email that was from their domains, yet not DKIM signed 
to be received. If recipient use of ADSP were widespread then
that would have been a business failure rather than just an
embarrassment.

Given that, the odds that any given ADSP-discardable record is
something that it makes operational sense to use is pretty low.
And no competent mailbox operator will want to allow untrusted
third parties to control the service they provide to their customers -
delivery of email.

A similar argument applies to third party lists, including those
run by John, ReturnPath and Spamhaus, with the critical difference
that each of those lists is a single entity, rather than the ADSP-discardable
pseudo-list, which is run by as many different people as their are
domains, so their accuracy can be tracked
over time, and their data only used once it's demonstrated itself to
be accurate enough to have operational benefits.

Cheers,
  Steve

More information about the ietf-dkim mailing list