On Tuesday 22 August 2006 15:56, Hallam-Baker, Phillip wrote:
... we need to promote the idea that you should not look for the
existence or even the validity of a DKIM header as being as important as
the domain that is claiming responsibility. If you can't correlate the
domain to some form of additional information you should ignore the record
entirely.
And I would argue that SSP is a first attempt to provide some of the
additional information.
What we need is more determinism and fewer heuristics.
If we can get an SSP is adequately expressive, I want to be able to reject
messages after DATA if the fall outside the scope of the defined sender
policy. If the message is real, the sender will get a rejection notification
and they can try an alternate means of communication. If it's forged spam,
no one is bothered by backscatter. This a path away from messages
disappearing forever into never reviewed spam folders.
I also want the SSP to work for as broad a set of senders as it can reasonably
accommodate. If it just works for the large senders, we will not, in my
opinion, have done the job we were chartered to do. Scalability is both up
and down.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html