[ietf-dkim] New Version Notification for draft-levine-dbr-00(fwd)
steve at wordtothewise.com
Thu Jun 24 09:34:15 PDT 2010
On Jun 24, 2010, at 8:45 AM, Martijn Grooten wrote:
>> So why does a domain that performs that painful audit and
>> remediation need to then tell John's drop list that it's OK to
>> drop unsigned mail? It doesn't. It can just publish an ADSP
>> record and be done with it. No need to count on some unreliable,
>> unaccountable point of failure to mediate their business.
> What if it publishes an ADSP record but doesn't understand the implications? Because, for instance, they send a lot of email to mailing lists. Or because to some emails, an MTA adds some blurb to the body after the DKIM signature has been computed. Or because they forget that in some (rare) cases they do not sign their email. (The latter happened to GMail who, without having published an ADSP record, had said that all of their email was DKIM-signed. Some of it wasn't. At least one commercial spam filter used GMail's claim to block unsigned email coming from GMail.)
> So my view of the service being discussed here isn't one where some guy in upstate NY claims to have full knowledge of which domains DKIM-sign all their outbound email. Rather, it's a service where the manager of the service uses claims made by the sender about whether they sign all of their email and then only lists those domains that know what their doing.
Maybe we need an ADSP flag that says "I think I sign all my outbound mail, and if a trusted third party vouches that I'm not entirely clueless about DKIM then you should trust them and treat this as "dkim=discardable", but otherwise don't pay too much attention to this and treat it as "dkim=unknown"".
Or maybe that's what "dkim=all" already means.
More information about the ietf-dkim