Wietse Venema wrote:
a) DKIM is for declaring the presence of an accountable identity.
If a signature is present, you know something. If it is absent,
you know nothing extra.
b) ADSP attempts to tell you something, in the absence of a
signature. It does that by defining something else that must be
present. If the ADSP record is present, you know something. If
it is absent, you know nothing extra.
c) Checking for the presence of [any DNS] record is intended to try
tell you something in the absence of an explicit action by the
domain owner. That's it's flaw: It is intuiting ADSP information
from non-ADSP action.
To clarify a perhaps overlooked point: the existence of [any DNS]
record for the Originator domain does NOT imply that it is a valid
email origin. If the record is absent, then we know nothing that
the absence of the ADSP record for that domain didn't already tell
us. Any suggestion to the contrary is probably a mistake.
ADSP is doing the converse of that: it takes the non-existence
of [any DNS] record for the Author Domain as an implication that
it is NOT a valid email origin, or more accurately reports if that
is the reason there isn't an ADSP record for that domain.
The problem is that "valid email origin" is a subset of all the
names that resolve in the DNS. In other words, there are false
positives in the algorithm that continues when [any DNS] record
NOTE WELL: This list operates according to