[Top] [All Lists]

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-15 12:39:33
On 11/7/06, Patrick Peterson <ppeterson(_at_)ironport(_dot_)com> wrote:

3 months and 1300 mailing list posts ago, I wrote that I was going to
survey some senders on SSP use cases and report results back to the
list. At long last, here are the results.


I apologize for the late post.

(Side note: This email is coming from my gmail address.
However, I am writing this email in my role as compliance /
abuse manager for an e-messaging application service
provider (ESP) known as

BigHip has seen its domain both phished and forged.

We perceive that being able to publish an SSP is important.
Hence this post.

Why? BigHip publishes an RFC 2822 sender header to identify
that all email is being sent from its network.

(Side note: This is consistent with best practices for
e-marketers as found in the Canadian Spam Task Force

In turn, BigHip signs its mail (presently using DK)
verifying the sender header.

(Side note: we use the domain in our RFC 2821
and RFC 2822 headers, except for the RFC 2822 From header.
The client provides the domain for use in the RFC 2822 from

This approach allows for compliance with best practice,
while making it easy to implement various authentication
technologies, including DKIM, but ....

Only if receivers allow for verification of the sender

As the responsible sender, (even though we are an ESP, the
mail is coming from our network), we can not tell receivers
what to do. It is their network.

But, through the use of an SSP, we can make certain
statements about our policies.

In turn, receivers can, if they wish, take these
statements into account when making decisions about how to
treat mail coming from our network.

Possible SSP statement: -

We sign all mail, verifying the RFC 2822 sender header. No
signature or invalid signature, providing receiver checks
and verifies RFC 2822 sender header and not just RFC 2822
from header, reject with appropriate non delivery receipt
sent at SMTP time. Bad signature, defer with appropriate
non deliver receipt sent at SMTP time, allow for re-send
and delivery.

Accordingly, I am asking that:

* The working group pushes forward with its work on SSP.

* When writing the SSP, the working group takes into
account that there is a group of senders (who mail on
behalf of others) that follow recommended practices by
publishing a sender header, who would like to sign the
sender header, have this signature verified and want to
protect the domain in the sender header from phishing and
forgery attacks.



John Glube
Bighip - Compliance / Abuse officer
NOTE WELL: This list operates according to

<Prev in Thread] Current Thread [Next in Thread>