I don't know if this has been already discussed and considered by the
DK/DKIM designers, but I don't see a clear definition of what exactly is
"3rd party" or "3rd party signing."
What exactly are the scenarios here for 3rd party Signers?
a) Mailing list server signers?
b) Forwarding operations MTA signers?
c) Hosted domains with alternative MSA/MTA signers?
d) Service bureaus or clearing houses MTA signers?
Or from a technical standpoint, we have a generic "3rd party" situation when
"DKIM d=domain" IS NOT EQUAL to "ORAD"
ORAD is the Originating Responsible Address Domain.
It seems to me that a 3rd party signer needs to look up the ORAD SSP to see
if any 3rd party signing is allowed in the first play.
I see a conflict with user addresses whose domain have DKIM policies, but
they use it on 3rd party services.
Tell me if these scenarios sound correct:
1) A domain has an EXCLUSIVE SSP (o=!), this means users of this domain
*CAN NOT* use another SERVICE that will might sign the outbound mail with
the ORAD (From:) is set to the user's address.
2) A domain has an NEUTRAL SSP (o=~), this means users of this domain
*MAY* use another SERVICE that will might sign the outbound mail with the
ORAD (From:) is set to the user's address.
In short, it seems that signers need to take into account the ORAD SSP
before any signing takes place to see if its allowed. If not, then we
really have PHISHING and SPOOFING problems.
I see the benefit coming when the SIGNER respects the ORAD SSP wishes.
I can see a future implementation, lets say for a mailing list service that
has a TOS that might say:
"A member email address used for subscriptions must allow
for the Mailing List Service DKIM (3rd party) signatures."
So a subscription confirmation message send to the user might say:
"Sorry, your email address domain DKIM SSP does not allow
for 3rd party signatures."
Is this correct? Am I missing something here? Has this been addressed?
Hector Santos, Santronics Software, Inc.