Byung-Hee HWANG wrote:
Hello, i published the ADSP record of my domain "izb.knu.ac.kr" by
DNS. Just i did setup as "dkim=all". OK now i do question. When i emails
signed pass through this server "mipassoc.org", my emails confirm as
"pass" at DKIM verifying. Then my signature is removed.
However, some end-users may misunderstand my ADSP policy on
"dkim=all" because my signature already gone away into space by
removing. What can i do for solving this point? Should i switch to
"dkim=discardable"? Or is this good practice without any faults?
Any advice comment welcome!
If you use DKIM=DISCARDABLE, then you are EXPECTING ADSP compliant
receivers to reject your postings to this mailing list which will
strip/replace with 3rd party signatures.
If you use DKIM=ALL, then you are EXPECTING ADSP compliant receivers
to maybe WARN or LOG the result, but not reject your postings to this
mailing list which will strip/replace with 3rd party signatures. This
could create FALSE POSITIVE results with some knowledge building concept.
If you use DKIM=UNKNOWN or no ADSP record at all, then you are
EXPECTING ADSP compliant receivers to ignore everything about your
message when it comes to DKIM.
IMO, it really depends on what you expect. On my server, I have
MIPASSOC.ORG whitelisted with an internal DIP rule (DOMAIN::IP
association)
accept if %CIP% in 72.52.113.* and %RPD% = mipassoc.org
Its like an internal SPF record for MIPASSOC.ORG because it doesn't
have one.
So currently, all mipassoc.org mail passes (SMTP level) regardless of
DKIM as long it comes from the above class C range of domains.
At the DATA level, we have new DKIM scripting rules in testing that
will allow operators to write rules such as:
reject if %ADSP% is "DISCARDABLE" and
%DKIM.D% is not %FROM.DOMAIN%
It is a rule that will help protect ADSP domains who expect
exclusivity in their DKIM signed mail transports - no 3rd party, no
remailers, no mailing list servers, etc.
Notes:
1) The DATA scripting rule this doesn't require DKIM
signature rehashing processing overhead.
2) ADSP requires a MX lookup. This WOULD already naturally be
done at the SMTP level scripting rules for anonymous senders.
However, mipassoc.org is whitelisted by the DIP rule. So this
check is skipped.
The question I have is if you do have a DKIM=ALL ADSP record, and but
the mipassoc.org signature is found, what do we do on our end? How do
we learn from this? We can log it, of course. Should we can send you
a one time report? Don't want to. Or we can just accept the idea that
MIPASSOC.ORG was white listed by us and we accept anything (including
junk) sent by it?
In short, we have put our faith on miassoc.org not passing junk to us.
How much due diligence miassoc.org will do now that it does DKIM
processing with strip, destroy and replace DKIM actions, we don't
know. What if you had a DKIM=DISCARDABLE and it failed, will
miassoc.org reject it? IOW, does miassoc.org support ADSP?
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops