The purpose of SSP is to detect unauthorized domain use. This can
not be achieved if the spec assumes that a signature from just
anybody what-so-ever is OK.
But that's not what Dave said. He said that if there's a signature, a
receiver doesn't do SSP. It remains up to the receiver to decide what
to do with the message, including deciding what its opinion is of
the signing domain.
To offer some concrete examples, if I get mail signed by nytimes.com
with your domain on the From: line, I'm going do deliver it no matter
what your SSP says, because I know that the Times doesn't send spam.
Even if you have a firm corporate policy that your users aren't
allowed to send mail from the Times' web site and a fierce SSP to
match, that's not my problem.
Conversely, if I get mail signed by a sleazy domain in Nigeria that's
never sent me mail I wanted, I'm going to junk it.
Incidentally, this chronic misreading of "the signature identifies the
responsible domain" as "accept the message" (not just by one person)
tells me that we have some significant misunderstandings about what
DKIM does and doesn't do.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html