the problem I have with DKIM filtering is that it is only effective
for domains that can reasonably insist that all of the mail
originated by users at that domain go through that domain's
submission servers. this is a corner case, not the general case.
Back in the day, we didn't have any of this VeePeeEn tomfoolery. I
could just telnet in and that was that. I'm sure that our IT folks
paid dearly in time, equipment, and support to throw up that wall, yet
they did it and as far as I can tell we all survived the move. I
don't see anything especially different with mail: if you want
accountability, you have to do real live work -- part of which is
placing restrictions on access. TANSTAAFL.
what you are failing to see is just how much reliance on VPNs (and
source IPs) to do authentication cripples the network. sure it's better
than nothing, but it's also very inflexible and an architectural dead end.
(and the problem with TANSTAAFL is that you can use it to justify any
kind of brain damage you want, as long as there's some minor associated
sure the spammers will learn to not use DKIM domains, but they'll
just move to other domains,
This is a feature, not a bug: I don't have to outrun the bear, I just
need to outrun you.
I'll remind you that as a condition to working in IETF we are all
pledged to use our judgment as to what's best for the Internet as a
whole...not just for those who can run faster than others.
Ietf mailing list