ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP and mailing lists

2006-09-12 03:26:23
"Thomas A. Fine" <fine(_at_)head(_dot_)cfa(_dot_)harvard(_dot_)edu> writes:

So if the only way a domain can set a policy that permits* recipients
to drop unsigned or broken mail is to set a policy that it will
not use non-compliant mailing lists, then this is doomed to failure,

Maybe one solution to the mailing list problem would be to approach
from a different angle. Would it be possible, for verification etc
purposes, to consider mailing list traffic to have come from the
mailing list not the person who submitted to the list? So, taking this
list as an example, the checking, reputation etc would be done on
'ietf-dkim(_at_)mipassoc(_dot_)org' not on the individual submitters. As far as
phishing is concerned, by their very nature the type of messages which
phishers spoof would not legitimately be sent via a mailing list[1] to
which the recipient has subscribed. Therefore receipt of any such
messages via a mailing list should automatically be suspect without
needing DKIM (or other checks) on the submitter.

[1] Unless it is an 'announce' type list run by the actual
organisation in which case verifying that it genuinely came from the
mailing list should give just as much confidence and trust as
verifying the RFC2821/2 entities.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html