On 06/24/2010 08:45 AM, Martijn Grooten wrote:
So why does a domain that performs that painful audit and
remediation need to then tell John's drop list that it's OK to
drop unsigned mail? It doesn't. It can just publish an ADSP
record and be done with it. No need to count on some unreliable,
unaccountable point of failure to mediate their business.
What if it publishes an ADSP record but doesn't understand the implications?
Because, for instance, they send a lot of email to mailing lists. Or because
to some emails, an MTA adds some blurb to the body after the DKIM signature
has been computed. Or because they forget that in some (rare) cases they do
not sign their email. (The latter happened to GMail who, without having
published an ADSP record, had said that all of their email was DKIM-signed.
Some of it wasn't. At least one commercial spam filter used GMail's claim to
block unsigned email coming from GMail.)
There are an infinite number of ways to shoot yourself in the foot.
They could also stop signing with DKIM on weekends so they can give
their DKIM signers some well earned rest and relaxation too.
So my view of the service being discussed here isn't one where some guy in
upstate NY claims to have full knowledge of which domains DKIM-sign all their
outbound email. Rather, it's a service where the manager of the service uses
claims made by the sender about whether they sign all of their email and then
only lists those domains that know what their doing.
In this instance, not even the guy in upstate NY can keep things straight with
own small database.
NOTE WELL: This list operates according to