Stephen Farrell wrote:
Hi Thomas,
This isn't really directed at you, but I've wondered each time
someone has said something like:
Thomas A. Fine wrote:
"I sign all email, and do NOT permit email through any body or
signature altering gateways"
I've no idea how a sending domain could enforce the "do NOT permit"
there. Neither in practice, nor in principle. Does anyone? (This may
just be my own ignorance of course, I don't claim to be a mail
expert.)
If its unenforceable, then I don't see why anyone would bother making
the statement.
Lot's of businesses have email policies that their employees are expected
to follow. Many say that personal email is not allowed with a business
account. A bank might be an example of someone who could have such
a tight policy that the bank email addresses can only be used for
inter-office email, or to a limited degree for customer correspondence,
and for no other purpose.
So for a bank, or another entity with very high security standards, this
might be a good policy. But for almost no one else. As far as
enforceability goes, the point would be that a DKIM/SSP compliant
receiver would be able to enforce this. Other than that, it is as
enforceable as any corporate email policy. Some corporations do
literally monitor all email traffic, and could catch people
violating their internal policy.
Note that I'm not advocating for this extra claim of where the email
has gone. I can see that it would be useful in a few situations. I'm
not sure how it would fit into the current system where policy is never
checked if the signature is valid. Another approach to accomplish the
same protection might be to include a signed tag in the email header that
says something like "DKIM-forwardable: no", and then the MDA could
increase it's verification standards when that tag is found.
I'll have to think this idea through though...
tom
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html