Steve Atkins wrote:
"Depending on how it's implemented by recipients there are
ways in which it makes it worse."
If (and this is where the "implemented" bit comes in) recipient ISPs
or MUAs annotate mail in any way that suggests that mail that is
validly DKIM signed and claims that no non-signed mail is ever
sent is, in any way at all, more trustworthy than, say, non-DKIM
mail or mail with no SSP constraints that will make the phish
more plausible than it would be in an MUA which pays no
attention to DKIM or SSP.
Lest you suggest that no ISP would ever be foolish enough to
do such a thing, look at Hotmails past behaviour with SenderID.
I think you are exploring a realm that I class as "creative misunderstanding"
where the problem is with someone going significantly beyond what is said or
promised. And, indeed, there is a solid basis for believing that any
interesting mechanism will produce at least some creative misunderstanding.
So, I think, a response to a concern about this needs to ask a couple of basic
1. For those who use the mechanism "correctly" is there substantial value-add?
2. Is there something about the mechanism, or its specification, that
*encourages* the misunderstanding? Answers might go as far an noting common
characteristics of human tendencies or as near as observing particular language
usage in the spec.
By way of priming this line of query a bit, your noting the hotmail/sender-id
example certainly seems useful to me. More generally, we have plenty of
evidence that people thoroughly misunderstand what signing is and is not useful
My concern is that this line of observation quickly justifies doing nothing at
all. (Since any action is subject to abuse, take no action.)
My own answer to question #1 is that being able to trivially, accurately and
reliably being able to reject a class of bogus mail is rather nice. If someone
says their domain is always signed, then I can choose to toss mail that I get
with that domain that is not signed (... ummmmm, assuming that the email service
is not breaking signatures very much.)
NOTE WELL: This list operates according to