John L wrote:
Part of the problem here is the past record of SPF with over-zealous
550 if
there's any hint of bogosity. We, for example, would be forced to
take down
a "we sign everything" policy if that were to happen with DKIM --
even though
we'll be signing everything pretty soon. If there were a qualifier in
the "I sign everything policy" that specifically implies that sending
a 550 based on a missing DKIM signature alone is extremely
bone-headed" then maybe we can both.
I don't see the point. That last suggestion is, to the recipient, the
equivalent of a useless "I sign some mail" since you're telling the
recipient it's OK to accept some amount of both signed and unsigned mail.
For us, the amount of mail that is in the false positive quandry is
really really
small, though the people it would effect primiarly are people who could make
it a living hell in IT. A policy which is more relaxed could, however,
say that
it's well worth the effort be extremely cautious about such mail -- a
far higher
barrier to entry than the current one-size-fits-all filters. This would
be justified
because a) the high scruitiny class would be a small subset so that
extra scrutiny
wouldn't incrementally cost much (if anything), and b) this is the kind
of mail
that you really really want to be cautious about anyway since it's where the
phishing attacks are happening.
So no, I don't think it's useless at all. It provides a means to
classify mail
in much more precise buckets so that the analysis budget can be more
sensibly divided.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html