On Sep 9, 2010, at 5:40 PM, Douglas Otis wrote:
On 9/9/10 1:04 PM, McDowell, Brett wrote:
But, before we dismiss the problem you raised... .gov domains*are* highly
phished and they share this TLD problem with .edu. That said, how many
.gov-ers need to (or are allowed to) participate in public mail lists.
Ugh! We simply have to fix the root cause of MLM's breaking DKIM signatures.
Disagree. This would then mean MLM messages become visually similar to
messages from individuals.
I didn't mean to suggest MLM's should stop doing the things they do that breaks
DKIM signatures. I'm actually a fan of the A-R header (or perhaps a new one)
approach -- used in a clear (profiled?) way -- so MLM's can assert to receivers
that they verified the senders signature before processing and re-signing it.
This type of change won't happen overnight,
or perhaps even within the same decade. Many lists don't authenticate
the source of each message being distributed. Until there is universal
adoption of A-R header and DKIM, it remains beneficial for these
messages to be visually different when issued by a mailing-list. Some
MUAs have extensions able to display various header fields, like
List-ID. It would be helpful if MUAs had a display option for this
On the other hand, the TPA-Label concept is premised upon third-party
sources being recognized by senders. As the diversity of sources
increase, identifying good rather than bad becomes a more productive
strategy. For this scheme to function, the sender will need to
reference a third-party list that meets their requirements, or generate
By placing the DKIM signature within a subdomain, the TPA-Label can also
indicate to recipients how _any_ authorized message with From header
fields containing an address from their domain is to be authenticated.
This scheme should help email transition gracefully to stronger
methods. This scheme should also allow phished domains the ability to
use a single domain for all of their email, including messages from
unmodified mailing-lists, while also offering the strongest protection
available from each source.
I reviewed the TPA-lable I-D awhile back but lost track of the URL. Please
resend and I'll take another look. But as I recall it just seemed "too hard".
dkim-ops mailing list
dkim-ops mailing list