[mail-vet-discuss] Proposed "header.b" tag for DKIM signatures

Murray S. Kucherawy msk at cloudmark.com
Thu Mar 25 13:38:40 PDT 2010

> -----Original Message-----
> From: Alessandro Vesely [mailto:vesely at tana.it]
> Sent: Thursday, March 25, 2010 12:16 PM
> To: Murray S. Kucherawy
> Cc: mail-vet-discuss at mipassoc.org
> Subject: Re: [mail-vet-discuss] Proposed "header.b" tag for DKIM
> signatures
> How do I get a local policy? I guess this question is may sound silly,
> but it seems that failures originate from header mangling much more
> frequently than real forgeries. DKIM may need some false-alarm
> reduction system to increase its reliability. In this case, it may
> also be considered a disservice to force users to fully understand the
> matter in order to devise adequate policies.

I don't think un-savvy end users are the places where evaluation schemes are defined or configured.  I would suspect the place a local policy is set would be within the purview of a local system administrator who does have some idea about local policy definition or enforcement.
> Put it another way, what is A-R going to provide w.r.t. DKIM?
> * Save consumer's cpu time/DNS lookups for signature verification, or


> * provide a synthesis of a message's trustworthiness, according to the
> best knowledge of the filtering agent.


> Truly sophisticated servers can still provide a policy-definition
> wizard that allows users to tailor the service according to their
> specific needs.

Certainly, but that's one of many possible architectures.  Also, the idea here is that the border is where DKIM evaluaton is done, while the policy enforcement could be somewhere more internal (maybe corporate vs. department, cloud vs. local, etc.).  It's a lot cheaper to parse an A-R header and some DKIM signatures than it is to parse and process (including the crypto and DNS) a batch of DKIM signatures that was already evaluated at some trustworthy upstream location.

More information about the mail-vet-discuss mailing list