ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP and mailing lists

2006-09-11 18:21:13
On Mon, 11 Sep 2006 15:06:45 -0500 wayne <wayne(_at_)schlitt(_dot_)net> wrote:
In <4505B4D8(_dot_)1040705(_at_)cs(_dot_)tcd(_dot_)ie> Stephen Farrell 
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> writes:

"I sign all email, and do NOT permit email through any body or
signature altering gateways"

I've no idea how a sending domain could enforce the "do NOT permit"
there. Neither in practice, nor in principle. Does anyone? (This may
just be my own ignorance of course, I don't claim to be a mail
expert.)

Well, you can't 100% enforce a "we don't send to mungers" requirement
any more than you can enforce a "we sign all email" requirement.
There are a lot of fairly easy steps you can take though:

1) If you can, set up domains such as accounts.bigbank.com that have
  no user mailboxes and is only used to send transactional email to
  customer accounts.

2) If you use domains where there are user mailboxes, have corporate
  policies that you can't sign up for mailing lists and such.  If
  anyone violates the rule, deal with them the same way you would any
  other violation of customer policies.

3) When a customer gives you an email address to use, send a test
  email to them to verify that it is valid.  To activate, make them
  either forward the email back or have them cut and paste it into a
  web form, very similar to how spamcop has dealt with the "mailhost"
  configuration stuff for several years now.

4) When you find out that there are problems sending email to $customer or
  $domain, work with the customer/mail-admin to fix the problem, and
  if it can't be fixed, disable sending email to $customer and/or
  $domain.

Of course, you also have to do all the work to make sure that all your
email is signed, that all your MTAs are working right, that employees
working at home don't send through their ISPs, that you don't use
greating-card/send-news-article stuff, etc.


Yes, this is a bunch of extra work that most will not be willing to
do, but I don't expect everyone to do it.  This is also the kind of
work that the receiver can not easily tell if the sender is doing or
not, but which the receiver can find very useful in deciding whether
they should accept or reject an email that has been munged.  So, this
is exactly the kind of information that needs a way for the sender to
communicate with the receiver about.  It benefits both parties.

+1.  I would like to get e-mail from such a bank.

Scott K
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html