[ietf-dkim] MLMs and signatures again
steve at wordtothewise.com
Thu May 26 15:19:36 PDT 2011
On May 26, 2011, at 2:53 PM, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Steve Atkins
>> Sent: Thursday, May 26, 2011 2:10 PM
>> To: DKIM List
>> Subject: Re: [ietf-dkim] MLMs and signatures again
>> In that case the reputation of the MLM is poor, and I don't want to
>> receive email from it. I still don't care about who the participants
>> The idea that people might sign up for a mailing list full of junk,
>> and hope that their spam filters / reputation engine will magically
>> pull the occasional gem out of it seems pretty unlikely. And that's
>> the premise behind there being value in tracking the reputation
>> of original authors in the case of their email being re-sent by a
> Let's say I route all traffic from list X to its own separate mailbox, but I also want my MUA to flag for special attention mail sent to that list by people I hold in high regard, for example, and I want that to be based on their accumulated reputations.
That's relying on an awful lot of vaporware in the MUA, orthogonal to any sort of authentication. I don't think any MUAs really track sender reputation in any way.
> I either have to base that on something forgeable like From:, or on something reliable like "d=". That doesn't seem magical to me.
Well, d= won't identify the original sender at all, in the case of individuals sending to a mailing list. It'll identify the domain of their ISP, nothing more.
> It's a bit of a contrived example, but right now I would have to maintain that list manually; it would be nice to have it done automatically based on feedback I provide to a reputation system.
Tunneling DKIM signatures through MLMs doesn't seem to be the missing bit of technology needed to do this.
If the MLM signs any email it sends then you have some level of trust in any information it annotates the mail with.
*If* it were possible to identify the original email author in some way (S/MIME, PGP, some private shared secret approach....) the MLM could annotate the mail with that information, and you could trust it enough to filter on. If the MLM doesn't have enough information to identify the original email author, it's unlikely you do either - whether there's a second DKIM signature or not.
 It's something that'd be useful, though - it's been on my TODO list for about two years to add exactly this to our CRM system, via end-user thumbs-up / thumbs-down buttons.
More information about the ietf-dkim