On 1/25/11 5:49 PM, Dotzero wrote:
The triggering question was whether one can make decisions directly
based on SPF, DKIM or a combination of the two. Doug stated that one
could not. My position is that you generally can (combinations) for
domains that have good control over the mailstreams (particularly
abused brands such as financial).
Mike,
Correction. To be clear, may I say one can use the position of stars in
the sky when making decisions.
However, when making reasonable decisions about how well a provider is
managing their mail resource, SPF pass or fail represents a poor
measure. SPF pass offers little upon which an administrator can be
judged. Malefactors are good at offering an SPF pass. Providers that
handle messages where a customer's SPF record ends up failing also does
not necessarily mean the administrator has done anything wrong either.
Instead, one must use identifiers that accurately track resources being
managed by the administrator when assessing their stewardship, not how
clever their customers are in deciding which SPF records to publish. We
both know customers are likely to get this wrong. Your statements about
some strange need to use "-all" suffixes in these records does not help
the situation either.
Secondly, DKIM can be replayed and will not necessarily indicate the
intended recipient of the message. Blindly using DKIM as a basis to
assert a signing domain is responsible for sending unsolicited bulk
email may prove highly unfair when replayed by some malefactor. When
mitigating SPAM, both SPF and DKIM represent poor and often misused
tools. In addition, seldom are both DKIM and SPF required for message
acceptance, which leaves either mechanism wide-open to abuse. A
requirement that both mechanisms pass would reduce the integrity of
email delivery, and make recipients unhappy about their lost messages.
Use of cryptographic authentication of SMTP clients supported by DANE
resource records can operate within IPv6, and then offer truly effective
tools able to fairly aid in the mitigation of SPAM. Use of third-party
authorization would also permit policies able to cope with how email is
normally used, without loosing track of the administrator's resource
management.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg