On Feb 20, 2006, at 10:02 AM, SM wrote:
At 11:06 17-02-2006, Douglas Otis wrote:
Should these reports go to the email-address domain owner or to
the signing-domain? Who can fix the problem?
The r= email address is for reports and inquiries about the signing
What action is expected of the email-address domain owner when making
Agreed. If there are to be reports allowed, these should be
reports to the entity able to take corrective action, the signing-
Reports are useful in the testing phase to detect broken signatures
at the verifier's end. We cannot "trust" the email from the
signing-domain if it fails verification which makes sending the
The signing-domain _may_ wish to receive broken signature reports;
they could compare these against message destinations. It is
unlikely the email-address domain owner would be able to effectively
deal with reports of third-party signature failures, or to be able to
take corrective actions.
A restriction limiting reports to the email domain will not
prevent abuse. Do not assume closed policies are in place. Do
not use this reporting mechanism as a method to punish email-
address domain owners not publishing closed policies. When the
only logical choice for open-policies is to not use 'r=' email-
address vector, how does one still allow a means to report abuse
to the signing-domain?
The "r=" tag is optional. Publishing it is not asking for
punishment. It is to allow the signer to take corrective action.
If this report is expecting the signer to take corrective action,
then by all means, the report vector _must_ be referenced from the
signing-domain and _not_ the email-address domain as it is now!
Reports _must_ assume DKIM holds the _signing-domain_ accountable.
When there are problems, the _signing-domain_ should know about
problems created by the messages they sign. Referencing the report
vector off of the email-address domain ignores completely who signed
The restriction limits the scope for a denial of service.
When reports are sent to hapless email-address domain owners who are
unable to take corrective actions, there is _no_ means to prevent
these report vectors from creating a DoS.
The "r=" tag is not for reporting abuse. I used
"abuse(_at_)example(_dot_)com" as an example only.
The recipient decides what they wish to report and abuse will likely
be high on their list. Even broken signatures by third-parties seems
an unlikely a problem to report to the email-address domain owner.
Assuming there is corrective action that can be taken to repair some
incompatibility, it would be the signer, and not the email-address
domain owner, that would be able to make the corrections.
NOTE WELL: This list operates according to