----- Original Message -----
From: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
In my view, DKIM is essentially protecting the email message transport
system.
But its not. It is protecting the domain. I can test everything about DKIM
outside a transport system. I don't need SMTP to work it. It has nothing to
do with 2821 parameters and I believe the closet property to a 2821
parameter is if a 2822.Sender header is included in the signature.
The chart offers a theoretical 69% (25/36) hard results with zero
false positive ACCEPT/REJECT conditions. It has 31% (11/36) states
where there is insufficient data to make a hard decision. However, in
these cases, there is nothing to prevent a system or implementation to
augment a pattern recognition learning concept of repeated failures.
Sorry, but this is wrong. You are making rules that brand legitimate
email as bad to claim the scheme works. This scheme does not actually
stop abuse, but instead exposes email-address domains to unfair
reputation. The ones that may benefit would be the mega-domains that
are less likely to be unfairly treated.
How else can it be stated?
The SSP Chart is simply reflecting the boundary conditions for the model.
Sure enough, some policies are too restrictive for some 3rd party services.
Sure enough, some policies are very desirable by some domains.
If I instituted an exclusive policy for santronics.com, I would be tickled
pink if a wide adoption of DKIM ready systems would begin to pre-empt the
malicious abuse and spoofing our domain on other MSA or MDAs. If this was to
become a reality, I would immediately STOP using santronics.com for my
public roaming participating in various mailing list. I would use a more
relaxed policy, not as safe, but that is par for the course when you choose
to hang out in public land.
I'm sure a e-Commence business or bank or other high-value domains, who want
to send exclusive important email to thier customers would desire the same
level of protection.
You say, this doesn't address certain kinds of social engineering phishing
mail. I agreed. But I also disagree your solution will prevent it as well
and I believe your solution might even make the problem worst because you do
lack a policy verification concept. You raised the bar for compliancy, yet,
you are willing to accept broken compliancy are an acceptable form of doing
business. That doesn't make sense. Why bother than? Bad Actors will be
licking their cops if they see us reach this level of relaxed conclusion
with DKIM. They will use DKIM as a way to squeeze thru the cracks because
your IDEA allows them in the door.
A reputation system might help alleviate some of the problem, but I doubt
it, even then, it is a separate concept that can be used independent of
DKIM.
_______________________________________________
ietf-dkim mailing list
http://dkim.org