Tony Finch wrote:
On Tue, 23 Aug 2005, Keith Moore wrote:
What standard should a domain require before "authorizing" a message?
That it's suitable for any recipient who might somehow find it in his
mailbox? (I doubt it)
What I mean by "accountable" is that one would expect that the domain has
a reasonable anti-spam policy which they actually follow. There's a lot of
blurriness in "reasonable": for example, opt-out mailing lists are legal
in the USA but not the EU. But in general it means that they should
respond meaningfully to complaints, e.g. removing recipients from mailing
lists or cancelling rogue senders' accounts. It does not mean that they
will get blacklisted at the drop of a hat, as some people on this list
seem to fear.
I think "accountable" needs to be whatever messages the domain wishes to
make an assertion of authorization for. Some domains might require
authenticated submission in order to sign the message. Others might
only sign messages for "premium" customers (who probably pay a fee).
Others might sign everything that passes through their MTA. It depends
on their customer (or employee) base and business model.
A signature cannot be an assertion of any particular anti-spam policy.
Haven't we all gotten spam emails with headers or text claiming that
they're not spam? We don't need another way to do that.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org