On Jan 23, 2006, at 12:45 PM, Peter J. Holzer wrote:
On 2006-01-23 11:41:56 -0800, Douglas Otis wrote:
DKIM is not related to the return-path and is not expected to
survive within a DSN.
It doesn't have to be. My idea was simply to exempt domains which
use DKIM from the auto-ack check.
I.e. if a message is received from a sender domain which announces
that it uses DKIM:
If the message has matching signature, accept it.
If the message has no or an incorrect signature reject it.
Not a good idea. It may be a message munged by a list-server. DKIM
allows cases where the email-address domain does not match the
signing domain, and policies permitting third-party domain
signatures. This mitigation is depending upon the prevalence that
email-addresses are confined to that of the provider. Even when the
email-address domain and the signing domain match, this still has not
confirmed the return-path should there be a reason to bounce the
message.
(Same thing for SPF, etc.)
SPF is often open-ended. This may not offer an assurance of the
return-path either, and failure may also be in error.
Otherwise quarantine message and send auto-ack.
I.e., if you are flooded with lots of auto-acks because a spammer
forges your mail addresses, you can simply add an SPF record, or (a
bit less simple) implement DKIM on your outgoing mails to stop the
flood.
If the concern is to ensure the delivery of the message, BATV would
be a safer option for avoiding the back-scatter. DKIM does not
prevent any back-scatter as explained. Rejection based upon SPF has
similar problems with erroneous failures.
I still don't like that scheme, but this way it would only be
annoying instead of nasty.
BATV, much like VERP, offers a solution for preventing any "back-
scatter" problem from affecting the users.
Yes, but it has to implemented by the sender. If I implement it, I
will get less (or even no) backscatter, but it won't reduce the
amount of "real" spam I get.
This comment was limited to your conclusion that DKIM or SPF solves
the back-scatter problem. They don't. SPF depends upon third-
parties reading and acting on the record or perhaps expecting the
spammers to have read your record. Use of SPF also hopes that no one
on your domain is sending to a forwarded account when closed. DKIM
has nothing to do with the return-path. Don't forget that spammers
will be able to sign as well as anyone else and take advantage of
open policies.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg