On 10/29/09 6:45 AM, Dave CROCKER wrote:
Rolf E. Sonneveld wrote:
... if they can do so, you accept the entire email.
In either case you accept the entire email,
Not necessarily. Many if not most Edge ADMD MTA's perform all sorts
of actions after the MAIL FROM phase and before the DATA phase.
Think of greylisting, call back verification, use of RHSBL, use of
local BL and WL's, etc. etc.
If DKIM is to provide acceptance value, so should authorizations of a
DKIM signer. When a Mail From domain authorizes a different DKIM domain
signing the message, this could serve as a basis for acceptance of the
message. Conceivably, this could be done prior to acceptance of the
entire message. After all, authorization can be checked within a single
DNS transaction during validation.
Perhaps knowing the Mail From domain had authorized the signing domain
might grant acceptance prior to validation, but this could lead to an
excessive number of DSNs whenever the authorized signature proves to be
invalid subsequent to acceptance. The TPA-Label scheme even allows
selective assertion of signing practices that could target a message
signer being spoofed.
I was just at a session at an industry trade association where the
question of doing DKIM during SMTP came up. There were operations
folk who very much liked the idea of being able to obtain some DKIM
benefit during the SMTP session, before the dot...
No one suggested modifying SMTP or DKIM specifications.
What /was/ discussed was the possibility of doing a signature that
would validate before DATA. This merely requires a signature that
does not cover the body.
DKIM has split out the body hash from that of the header fields, but
that only permits hashing the message body later. Not much saved there.
I can't say that anyone sounded hugely enthusiastic about this, but
given that there was interest in SMTP-time benefit, I think they just
needed to think about this more.
In for a penny, in for a pound. As the prior paragraph suggested, the
current DKIM signature can provide this feature whenever signature
validation is done prior to acceptance and the Mail From domain has
offered authorization. It seems holding acceptance until DKIM
validation might require hardware assist. Hardware assist is not
expensive, and could be limited to trusted sources. Here again, the
TPA-Label approach could play a role in the selection.
NOTE WELL: This list operates according to