Dave Crocker wrote:
There is a very simple distinction we can make:
If a message is signed, then the signature (and associated key
information) speaks for itself. If the organization has constraints on
who is allowed to sign a message or what message they are allowed to
sign, or what algorithms they are supposed to use, then that is a matter
for internal management within the organization. It is not the job of a
public standard to recruit a recipient into enforcing sender-side
internal administrative policies. If an organization chooses to publish
support for a weak algorithm, again, that is their problem, not the
recipient's.
Whoa, whoever convinced or turned your head, I want to thank them.
Metaphorically, throw everything out the window and just consider the
avalanche of mail a system has to process. If DKIM is going to "raise
the bar" then it better had some chutzpah behind it. IOW, the only way,
this vendor will turn the switch on DKIM is when there is a DOMAIN
POLICY concept behind it.
Hence, SSP should be used for receipt of unsigned messages.
Statements like "I sign everything" and "I send no mail" are examples.
These are the boundary conditions and represents, in my view, the
highest benefits for the domains, in one way or another. Either they do
or they don't, and if they want a mix bag, then they MUST have a policy
that helps categorized failures with success.
Remember, never mind DKIM, think of the amount of mail receivers have to
process. If they have to being to lump DKIM into the picture with some
"special meaning" behind it then that "special meaning" better be well
defined with a "PAYOFF."
Broken DKIM messages on a on-going basis will not be tolerated or they
will be simply ignored altogether - no overhead will be exerted, and
that just makes all this a waste of time.
Thanks
---
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html