[ietf-dkim] Corner cases and loose ends, was , draft-vesely-dkim-joint-sigs
mike at mtcc.com
Mon Sep 27 11:38:54 PDT 2010
On 09/27/2010 11:17 AM, Al Iverson wrote:
> On Mon, Sep 27, 2010 at 1:05 PM, Michael Thomas<mike at mtcc.com> wrote:
>> On 09/27/2010 10:58 AM, Michael Thomas wrote:
>>> On 09/27/2010 10:38 AM, John R. Levine wrote:
>>>>> Ignorance is bliss, I guess, especially when it comes to pontificates.
>>>>> That's what every implementation of DKIM for MTA's, both open source and
>>>>> commercial that I'm aware of does, though some do and don't do the ADSP
>>>>> lookup. News at 11: email is still delivered, with little to no
>>>> It is not my impression that they all do the full DKIM validation while
>>>> the SMTP session is open. Mine doesn't.
>>> You would be completely wrong in your impression.
>>> Source is your friend.
>> Oh, I see John weaseled from "nobody does that" to the unprovable
>> "not everybody does that". In any case, John is completely wrong
>> with his assertion that doing DKIM/ADSP validation at SMTP time
>> is somehow even vaguely untenable. It isn't. It's common as dirt.
> It's hard to imagine a large, DKIM-checking mail provider, like, say,
> Yahoo, doing that mid-transaction.
> Do you have any data/insight on how to quantify "common as dirt"? I'm
> doubtful of your claim without it.
Yes, I have a lot of insight. My implementation did it that way, which
along with Murray's (and any other that's based off of milters), do it
that way. I don't have access to Y!'s source to say for sure, but my
impression from Mark and Miles is that they did it in-session and that
all of our experiences were the same: it added very little overhead.
I don't know why this should surprise anybody. Doing DNS lookups in-session
*is* common as dirt for RBL lookups, even if the big boys have the RBL
databases in-house for performance. So the only other issue with DKIM is
the actual computational overhead, and Eric did some calculations that it
was *maybe* 5% overhead, and that was 5 years ago -- Moore's Law only
So by all means, doubt away. Is there anybody else who was at the Interop
who *doesn't* do DKIM in-session? It was my impression that everybody did
it that way.
More information about the ietf-dkim