On Jan 30, 2009, at 8:37 AM, Suresh Ramasubramanian wrote:
On Fri, Jan 30, 2009 at 9:41 PM, Jeff Macdonald
<jmacdonald(_at_)e-dialog(_dot_)com
wrote:
On Thu, Jan 29, 2009 at 04:14:02PM -0500, MH Michael Hammer (5304)
wrote:
Signer does not necessarily have to equal sender for DKIM base.
This is one of the reasons I tend to fall into the "d=" camp.
Don't forget i= is also in control of the signer too. An author/
sender does not control it.
Which would kind of make it redundant?
No. The i= parameter allows the signer to establish an identity that
they have verified in some manner.
A domain has a few choices as to how this i= value might be used:
1) Have it match the originating email-address whenever this email-
address represents who the signer verified.
2) Not include the i= value and prevent finer grain assessments.
3) Have the i= represent an opaque attribute that represents who the
signer verified.
Large domains will almost always have some small percentage of
problematic accounts. If the d= parameter becomes a significant basis
for acceptance, then replay abuse will need to be controlled.
A reputation service will provide little value when replay abuse
prevents reliance on the DKIM domain for the majority of email being
handled.
To rescue the service, the reputation of a DKIM domain might be Good /
Check-I / Bad
A secondary check of the i= reputation for problematic domains would
help mitigate an otherwise uncontrolled amount of abuse. Path
registration represents the only other alternative.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html