On Jun 9, 2007, at 1:51 PM, Hector Santos wrote:
That said, some systems, such as our own, have a one attempt only
for the "Implicit MX" rule. i.e. No MX -> A Lookup --> 1 attempt only.
This past week alone we would have electronic mail communications
fails with legit customers lacking MX records if this rule was
enforced.
I just can't see this happening. I will have to see snow balls
falls from these South Florida skies before I would have our SMTP
system changed.
The concept is to first deprecate use of A records for discovering
inbound SMTP servers. After some period of time, then obsolete the
use of A records for this purpose.
Any receiving SMTP wishing to take full advantage of DKIM and any
exclusions afforded by DKIM policy will need to:
- implement DKIM signature verification and,
- verify use of the domain.
(Initially this would be by checking for either MX or A records.)
Publishing DKIM policy becomes easier to administer once A record
discovery is obsoleted. When DKIM policy is intended to defeat sub-
domain spoofing, domains will need to publish policy at every domain
level containing an A or MX record. Once A record discovery is
obsoleted, then policy would only need publishing adjacent to MX
records.
- The alternative is a registry domain list and domain transversal
searches. (More work for receiving MTAs)
- Publishing policy and wildcarded policy records at _every_ DNS
node. (More work for sending MTAs while also risking DNS wildcard
related exploits.)
There will not be instant compliance regarding DKIM's policy
exclusions of bogus messages. DKIM + Policy alone may remain
ineffective as an exclusionary mechanism, regardless of publication
methods.
"Proof of use" establishes a basis to exclude much more than just
bogus DKIM messages. Why not simplify how "proof of use" can be done
efficiently?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html