dkim-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dkim-dev] dkim and email list software - adsp

2009-09-30 02:52:22
from [Jim Fenton] [Permanent Link] 
Daniel Black wrote:

On Wednesday 30 September 2009 05:10:50 Dave CROCKER wrote:

wow.  more than 16 hours and no one has posted anything.


post standardisation stress disorder?


Something like that.


Daniel Black wrote:

2. The author's email infrastructure DKIM signs the email message and
publishes a ADSP dkim record saying 'I sign all messages for this domain'
3. The message is received by the email list
I'm really hoping that receiving domains don't overreact to ADSP 'all' assertions; there is a very large difference between publication of an 'all' record and a 'discardable' record. Domains publishing 'all', such as mine, are simply saying that they sign all of their outgoing mail. Verifying/assessing receivers should understand that signatures do get broken, so they might want to scrutinize messages that are received without a valid author domain signature more carefully when an 'all' practice is published. One way they might do this is to add a positive bias to the spam score calculated by SpamAssassin and similar content filters. This might be counteracted by the presence of a DKIM signature from a trusted domain, such as the venerable mipassoc.org.
The 'discardable' practice is intended only for transactional domains and similar domains having very restricted usage patterns. A 'discardable' domain probably has no business using mailing lists; many of their messages would/should not be delivered. I hadn't considered the possibility of the mailing list manager software checking ADSP and rejecting subscription requests if the subscriber domain publishes 'discardable', that might be an interesting idea although of course many subscribers don't ever send anything to the lists anyway. 

To summarize:

'all' and 'discardable' are NOT the same
Please interpret 'all' with the understanding that signatures do get legitimately broken (don't overreact)
One other comment: One of your earlier messages referred to a missing signature as 'fails ADSP really badly'. This implies that a present but invalid signature is better than a missing signature. Please don't think of it this way, and please don't implement it this way. We don't want messages to be treated any better if the Bad Actors out there insert something that looks like a DKIM signature but is bogus. Invalid signatures need to be treated exactly the same as if they were nonexistent. 

-Jim


_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [dkim-dev] dkim and email list software - adsp, 牛粥
Next by Date:  Re: [dkim-dev] dkim and email list software - adsp, Daniel Black
Previous by Thread:  Re: [dkim-dev] dkim and email list software - adsp, 牛粥
Next by Thread:  Re: [dkim-dev] dkim and email list software - adsp, Daniel Black
Indexes:  [Date] [Thread] [Top] [All Lists]