Imagine, if you will, that I'm a big ISP with lots and lots and lots of
consumer type end users who prefer to stay clueless about the
intricacies of e-mail.
A message comes in which claims to be from the First Amalgamated Bank of
Example. An entirely separate, unrelated mechanism has already told me
that example.com really is the domain name used by the First Amalgamated
Bank of Example, and that they're a real bank with tellers and vaults
and bulletproof glass and all that fun stuff.
But this message isn't signed (and/or the signature is invalid, which
base says is the same thing.) How do I find out whether or not the
First Amalgamated Bank of Example thinks that they sign all of their
messages? That should be a simple, binary operation, right? I really
don't care about anything else the sender may want to assert.
Should that be in SSP? Should it be in something else? Should I
encourage all of the banks to use a non-standardized external mechanism
while y'all argue?
--
J.D. Falk, Anti-Spam Product Manager
Yahoo! Product Platform Group
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html