On Fri, 10 Sep 2010 23:37:46 +0100, Steve Atkins
On Sep 10, 2010, at 2:31 PM, Scott Kitterman wrote:
..... If this negative event can be avoided by the simple mechanism of
using a mailing list specific "Message" From, then that is a benefit.
Rather than go into the general reasons why I think this is not
something that ADSP users really want, I'll give a concrete
What ADSP users want is irrelevant. This is about what MLMs want (which is
most likely to ensure that submitted messages reach the whole of their
list without problems).
Lets say this mailing list rewrites the From: address in some
reasonably mechanical manner, and the From: field of
this message were rewritten as (making up syntax on
... such that recipients (or their MUAs) know that this mail
was sent by steve(_at_)blighty(_dot_)com via a mailing list at
There's nothing to stop me from sending mail
From: billing%paypal(_dot_)com%ietf-dkim(_at_)mipassoc(_dot_)org, as
the mailing list isn't using ADSP.
Clearly, mailing lists that do things to the From: SHOULD (even MUST)
sign, and any RFC documenting my proposal would include that.
But yes, you could currently send a message to this list From: that
address, but that has nothing to do with whether my suggestion is adopted
or not. I suspect you would soon find yourself blacklisted by the MLM.
... And there's certainly
nothing to prevent me from sending mail from
billing%paypal(_dot_)com%ietf-dkim(_at_)blighty(_dot_)com that has
a valid first-person signature.
Indeed, but that is, and has always been, possible, irrespective of
whether my suggestion is adopted. Phishers have been obfuscating their
From: headers in such ways since forever.
That means that, as far as the end user is concerned,
I can send them email that is "from" billing(_at_)paypal(_dot_)com,
even though paypal.com is using ADSP to ask receivers
to discard mail that claims to be from paypal.com but
is not validly signed by paypal.com.
Given the whole point of ADSP is "Discard if you're not
sure", I don't think that's what an ADSP using domain
Sure they would, but DKIM as specified does not provide that feature
except when everything after the '@' is exact.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
NOTE WELL: This list operates according to