John Levine wrote:
Whereas, "I sign no mail" means that it ALL has to go through a
traditional spam filter. One could make an argument that such a
policy would mean that any SIGNED mail from this domain can be
immediately dropped as invalid.
Nope. If you get signed mail, that means the domain has published a
signing key. If the SSP says "I sign no mail", then the domain is
denying the existence of its own signing key. The only thing we can
conclude is that the person who runs that domain's DNS isn't very good
at it.
Yeah, I see that now. I'm willing to retract the first couple of
paragraphs from that email, and I recognize that under the current
model, there's no point in "i sign no mail", as well as no point
to "i sign some mail".
But...
And "I sign all mail" means that unsigned mail can be instantly
dropped.
Yes, if you believe it. As has been exhaustively argued here before,
there are lots of plausible ways that a legitimate message could
arrive with a broken or missing signature, with mailing lists being
the horse that has been beaten the hardest. We also know from SPF
that if you believe -all, you'll lose a lot of valid mail.
It can't mean anything else. Sure mail can fail to go through for
a variety of reasons - with or without DKIM. DKIM isn't designed to
guarantee delivery. That's not it's job and it's an impossible job.
Once a domain has successfully implemented DKIM though, more of their
mail will get through than in the present case with false-positives
from spam filter software. In that respect, "I sign all mail" is
an excellent policy if you want to improve your rate of successful
deliveries.
One possibility would be to drop all unsigned mail, tough noogies.
If their policy is "I sign all mail" then that's the only possible way
to handle this. I don't care what went wrong or why, they can figure
out what went wrong, and resend the lost messages. It happens all the
time and we sysadmins know exactly how to deal with it.
It's interesting because we keep finding users that set up software that
uses non-standard software to send out their mail, and then they wonder
why their critical mail delivery fails every time a certain file server
is down for maintainance. Then we as kindly sysadmins have to point out
that this is the wrong way to send mail and they should have consulted
us first and here's the right way to do it.
The only thing different if we had to institute a "sign all mail" policy
is that it would be much more obvious to the users that most or all of their
mail is not going through, and we would find and fix the problem much more
quickly.
One thing I know - the time I spend fixing or upgrading various mail
senders is vastly less than the time I will waste on configuring spam
filters, and helping users configure spam filters, and dealing with
all the other fallout from spam.
Or
you do your whitelisting first to catch the lists and other known
friendly forwarders that sign their mail, and then do SSP after that.
Or something. These are all paper designs, so nobody has any idea how
much if any of SSP will be useful in practice.
Without SSP, DKIM is almost completely useless for protecting domains
from being spoofed, and almost completely useless for reducing spam.
With SSP, it will be pretty easy to do both.
tom
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html