Franck,
Let me clarify that if your system was checking the ADSP record and
"skipping" or avoid 3rd party signing of domains with
DKIM=DISCARD|ALL, then IMO, your system would be protocol consistent
and behaving correctly.
Blind resigning could cause problems, such as:
1) Receivers rejecting DKIM=DISCARD|ALL author domains with 3rd party
signatures.
2) Create negative reputation on the 3rd party signer for perpetuating
continued sending of 1st party ADSP failures.
3) Potentially create a membership removal for continued failure
at the recipient mail host by not accepting list signed
distributions.
To mitigate #3, receiver software SHOULD NOT issue a SMTP LEVEL
negative reply code (45z, 55z) and under ADSP failures, SHOULD
accept the message and silently DISCARD the message as allowed
by RFC 5321 and RFC 5617. This will resolve issue #3 and also
minimize back scattering.
#2 is still a risk for 3rd party signers if they ignore RFC 5617.
--
hector wrote:
Franck Martin wrote:
I do not see where is the issue? I 3rd party sign emails and I have not
faced any problems with that (Am I missing something?) The providers
that check DKIM all include a dkim=pass in the mail headers.
Franck,
Thats because receivers have yet to support and honor RFC 5617 (ADSP).
Once they do, your 3rd party signing of domains with ADSP
DKIM=DISCARD|ALL are subject to mail rejection/discard at receivers.
RFC 5617 says:
all All mail from the domain is signed with an Author
Domain Signature.
discardable
All mail from the domain is signed with an
Author Domain Signature. Furthermore, if a
message arrives without a valid Author Domain
Signature due to modification in transit,
submission via a path without access to a
signing key, or any other reason, the domain
encourages the recipient(s) to discard it.
What Bill is referring to is the "3rd party Policies" that was part of
the original SSP specification but pulled for ADSP.
SSP include a "concept" that allowed 3rd party signatures, however, the
complexity was how do we control (authorize) the 3rd party signer.
In other words, how to we tell the world that 1st party domain
"santronics.com" allows 3rd party signer domain "genuis.com" to sign
mail on the behalf of santronics.com.
The proposals were to provide a LIST "somwhere" like in the POLICY
record. The draft DSAP proposal offered this feature. The issue with
that is how big can that list be.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html