On 30 Aug 2006 14:28:29 -0000 John Levine <johnl(_at_)iecc(_dot_)com> wrote:
In addition, I would also note that it is extremely easy in a group like
this to lose track of how non-technical many domain owners are today.
Right, and that means that they use someone else to provide their
mail service.
Exactly. Odds are, not the same provider that does their DNS. They are in
the middle.
Keep in mind that DKIM, unlike SPF, requires the active participation
of whoever runs your outgoing mail server to apply signatures, unless
you are enough of a weenie to run a signing engine in your MUA and do
your own key management. For the vast majority of non-technical
users, their ISP or hosting company's MTA will apply its own
signature, and that will be good enough. Indeed, it will probably be
better than a tiny domain's own signature, since whatever formal or
informal reputation systems recipients use are much more likely to
have entries for the ISP than for a tiny domain that sends 12 messages
a week.
That sounds to me like you are saying that DKIM first party signing is only
for big domains. If that's the WG consensus, then that's what we should
design to, but I hope not. I have said before that I think scalable works
two ways. It has to scale small too.
I also think that you underestimate the scalability of the proprietary
reptation vendors. Mail servers get their IP address into, for example
Ironport's Senderbase, such systems after having sent just a handful of
messages. I doubt name based systems will be less granular.
Let's not do another round of should reputation accrue based on the
author's domain or the MTA operator's domain. I, for one, think that,
"You're little, third party is good enough for you" is not the right answer.
I suppose it is hypothetically possible that providers will upgrade
their MTAs to support per-domain DKIM signing and out of perverse
hostility won't offer the DNS support for it. That has never
impressed me as a scenario likely enough to be worth inventing a new
mechanism with unknown security problems that has to be implemented by
all DKIM recipients.
It's fortunate then that that isn't the scenario I'm trying to support.
The likely scenario is the outsouced MTA and DNS are provided via different
companies. I think MTA from the ISP and DNS from a name registrar is
entirely typical.
At this point I'm not suggesting an alternative. My point is that NS
subdomain delegation is not sufficient by itself.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html