Brett,
IMO, the frank answer is that you are hosed if you try to use any high
value (HV) domain or one associated with a HV domain in an open manner.
If you believe in POLICY as I sense you do, then today, you have no
policy protection today via mailing list software. You are left with
depending on the 3rd party signer because passing 1st signed mail thru
a list will almost guaranteed broken DKIM mail during the distribution.
So your only option is a relaxed signature policy and that doesn't
help you at all in the wild (outside the list). But then again, since
it is relaxed, BAD GUYS doesn't have to spoof sign at all - they don't
have to lift a finger, thats the legacy mail problem.
The problem with ADSP DKIM=ALL is there no agreement if its for the
1st party or any party allowed to sign for you. We are back to square
one if ANY signer and distribute your mail.
Crocker and Levine has always been correct about one thing - it is the
last signer that counts. The chain of trust concept.
The question is did you authorize them to sign for you and the problem
is the last signer can be a bad guy.
So what do you do?
Today - do what Doug and I suggest - separate the mail channels. Use a
entirely different domain you don't care about and try to see if this
is good enough to warm up the 3rd party signers with special vouchers.
No easy answer but to bring back some sort of 3rd party authorization
consideration.
--
Sincerely
Hector Santos
http://www.santronics.com
McDowell, Brett wrote:
I want to thank everyone who chimed in with their informed opinions.
Unfortunately I'm still where I started, i.e. smart, informed, well meaning
professionals have completely opposing views on what "best practice" is in
this regard.
-- Brett
On Sep 8, 2010, at 3:41 PM, Hector Santos wrote:
Douglas Otis wrote:
On 9/8/10 11:23 AM, Jim Fenton wrote:
No, I'm suggesting that they publish an explicit dkim=unknown if that is
their intent.
It seems unlikely dkim=unknown will support their goal of ensuring most
phishing attempts are blocked. It also seems unlikely this assertion
will override rules intent on eliminating subdomain spoofing not
otherwise handled by ADSP dkim=discardable.
The TPA-Label draft attempted to avoid the dilemma created by
dkim=discardable in respect to normal email use and its undefined
handling of subdomains.
IMHO, their best choice is likely to keep their corporate domain
separate from their web presence and its transactional email.
+1.
The worst thing they can do is to have a relaxed policy with anything
resembling their brand name and domain, especially corp.paypal.com, in
public channels. The unfortunate thing is that we currently warming
up systems to view 3PS signatures as an "acceptable" idea and the only
way to deal with it is the single source vouching of the last signer
in the path. That single source vouching isn't going to happen. Not
every verifier is going to be buying into a single vendor vouching for
signers.
If they do
follow your advice, their results would prove informative for others.
DKIM=UNKNOWN will only provide value for SSA (Special Signing
Arrangement).
It will negative impact a high value domain like paypal when it begins
to negatively warm up systems that don't have an association with a SSA.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops