[Top] [All Lists]

Re: [Asrg] Third party DKIM signatures

2006-06-01 17:22:31
On 6/1/06, Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> wrote:

 Would Google or Yahoo be able to verify to
that Joe Blow is authorized to send out email as joeblow(_at_)yahoo(_dot_)com or
joeblow(_at_)gmail(_dot_)com when sending email from  Manual
confirmation doesn't scale.  Automating it opens up the potential for
address harvesting.

spf plus a databse-based DNS can solve this.  joeblow registers with
yahoo's complex spf engine that he sometimes sends his mail from,
and the receiving MTA hits a macro section in yahoo's spf record that
indicates how to build an A-record query to ask if he uses
and the receiving MTA does the A-record lookup and bases the authorization
result on the result of the second DNS lookup, which looks something like


SPF classic provides macros for exactly this purpose; there is very
little potential
for harvesting without guessing; statistical techniques currently used to deny
access to guessers can be re-used to protect the dns service.

If guessing would be of any use at all, since you would need to guess
the user-part in
association with a non-standard relay that that user uses, in order to
get a useful
result from a guess. would NOT provide zone transfers to the general public,
for instance.

David L Nicol
"fans of liza minelli should always be
disconnected immediately" -- Matthew Henry at Voxeo

Asrg mailing list