[ietf-dkim] MLMs and the use of multipart/alternative to preserve original DKIM signature and at the same time add a new DKIM signature
hsantos at isdg.net
Wed Aug 4 12:50:01 PDT 2010
Charles Lindsey wrote:
> But this assumes that the author is in a position to apply those
> remedies. If he is a lowly employee of some large security-conscious
> organization (say Paypal) there is probably a company rule that
> everything goes out under the company domain name, and employees are
> forbidden from sending emails with From: set to anything else (at least
> when sent from company equipment in company time).
> But it may still be in the company's interest for ite employees to
> subscribe to mailing lists (e.g. list discussing security - such as this
> Yes, the company has shot itself in the foot, but in the Real World (TM)
> that is a Regular Situation, and it is probably more useful to devise
> schemes that work in spite of foot shooting than to waste effort trying
> to stop the foot shooting in the first place.
I think we need to put more faith in the domains wanting and declaring
Why would an individual, company, corporation, especially major one
with a high value branded domain implement two technologies (SPF and
ADSP) for the main purpose to publicly expose and declare to the world
a highly exclusive and restrictive mail operations policies and
yet then still think or expect there would be permissible
corporate "loopholes" for external usage of their domain which would
be end up 100% conflictive with their stated policies?
If Paypal or anyone explicitly declares restrictive policies with no
subjective considerations (its not soft, its not neutral, its not
sometimes signed, but always sign with hard policies), then I don't
think it is expected by them the ADSP aware receivers are going to
ignore faulty paypal.com messages and just pass it on.
paypal.com stated very strongly:
SPF: -ALL policy, only their machines can send mail
ADSP: DKIM=DISCARDABLE only paypal signs as 1st party
They specifically declared:
If the sending machines are not ours, don't trust it and
reject it. If the message is invalid (no signature or not signed
by paypal), get rid of it.
You can get any more explicit than this publicly exposed policy.
I'm sure paypal.com knew what it was doing when they internally
discussed and consciously decided to create those very exclusive and
restrictive policies. IMO, it also creates a DISCLAIMER for themselves.
Whats the point in 2nd guessing an restrictive SPF and/or ADSP domain?
The are not neutral in this declaration. They are very specific.
They don't want you to resign it.
That is why, IMO, it is far easier for a MLS to preempt all
domains. This solves all MLS conflicts related to ADSP domains.
More information about the ietf-dkim