ietf-asrg
[Top] [All Lists]

Re: [Asrg] DKIM role?

2009-01-09 06:23:08


--On 8 January 2009 12:10:23 -0800 Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:


On Jan 5, 2009, at 7:22 AM, Ian Eiloart wrote:
--On 22 November 2008 08:43:21 -0500 Rich Kulawiec <rsk(_at_)gsp(_dot_)org>
wrote:

On Thu, Nov 20, 2008 at 02:33:51PM +0000, Ian Eiloart wrote:
The only thing that matters is that you can reach the system
administrator for the domain that sent the email.  Then you can
assign reputation to the domain, and even to the email address used.

But you can do that today -- well, by IP address, at least, which
is (as we've seen from the use of DNSBLs) nearly always good enough
to make accept/deny decisions WRT email.

But that's not good enough. In fact it's crap. If I want to
whitelist an organisation, I can't do it because there's no
principled way in which I can know what IP address they're using to
send email. I need to be able to whitelist the domain. As long as
there's nothing to stop people spoofing the domain,

There are methods that can be used to limit risks related to whitelisting
domains.  Often these involve capturing prior conversations and noting
where the message originated.  The locations might then be expanded to
CIDRs, routes, or acquired address lists.

"Greylisting"? Or something similar. Well, perhaps, but it seems complicated compared with SPF. I don't understand why there are banks that don't publish SPF records, for example. And, I'd like to be able to whitelist all .ac.uk domains when there's an SPF or DKIM match. Why? Well, I know that the domains are hard to register, that they have a relationship with my organisation, and as a rule I'll be able to contact a competent administrator if something goes wrong.

The advantage of DKIM and SPF, of course, is that I don't have to guess about anything technical - like which IP addresses belong to a domain.

....

--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg