ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM signature can mean it's safe to generate bounce?

2007-07-07 14:21:55

On Jul 7, 2007, at 10:55 AM, Dave Crocker wrote:



Michael Thomas wrote:
An interesting side effect is that it would also suppress bounce messages from mailing lists, even if they resigned. I'm not sure if this is a feature or a bug.

I think that that will depend entirely on the way the SSP record is defined, much like the constraints on rfc2821.From values that are being discussed.

So, yeah, if the SSP associated with the MailFrom says "rfc2821.MailFrom" must match a DKIM signature, or somesuch, then a mailing list that inserts its own MailFrom, without adding its own signature, could break bounces.

What is lacking is a defined strategy to deal with possible replay abuse. It could be assumed a signing domain has some strategy to handle replay abuse originating within their own domain. This replay abuse can result from MailFrom bounces, or from forwarded messages. Traffic from mailing lists will require exceptional handling, especially when the message signature has not been invalidated.

BATV will not help when a message passes through a mailing list. BATV must also restrict where messages are allowed to originate to those outbound servers sharing the encoding secret.

Avoiding the initiation of a bounce independent of whether some email- address matches that of the MailFrom, would be to note whether the SMTP client was within the signing domain. When the SMTP client is within the signing domain, the chance of a message being a replay diminishes greatly. This would not require any email-address contained within the message to match that of the signing domain.

-Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>