But different parties mean different things when they sign the
message. If the author signs a message, it means "I wrote this".
If a list signs a message, it means "I sent this".
Ah, why didn't you just say so two weeks ago? I think you will find
that you are reading a whole lot more into DKIM signatures than other
I concur with Tony's model that a signature only means "I will accept
the blame for this message". Realistically, my MTA is going to sign
mail from all of my users, and although I am willing to accept
responsibility to be sure that they behave themselves, I don't have
the faintest idea what mail they send is new, quoted, sent on behalf
of others (lots, due to third party web and mail hosting) or anything
else. I barely know what domains they use in their return addresses
and I do not know, for example, whether a message with a return
address at one of the little wineries I host is sent by the winery's
management, or someone else (web host) on their behalf. I'm sure not
going to spend any effort forcing them to tag their mail to tell the
difference, since among other things they'd never get it right,
anyway. I expect that my position is similar to that of most ISPs and
I can see that you might want a system full of fine-grained assertions
about mail, but DKIM isn't it, and I doubt that it would be very
useful. It comes back to the failed Lumos model of complex assertions
about mail to be sorted out by recipients. I'm not interested in much
more than one bit to decide either someone's mail is worth accepting
or it's not, and I haven't heard any clamor here for more. I'm
planning to look up the signing domain in whatever passes for a
reputation system, and if it says good, I'll accept it, if it says
bad, I'll reject it, and if it says nothing, I'll send the message
through the filtering gauntlet I use now.
Yeah, I know not everyone feels the way I do, but I think I'm pretty
close to the mainstream here. Everyone? Am I blowing smoke?
ietf-dkim mailing list