ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] Some concerns with SSP impact on very small businesses

2008-01-09 08:51:13
from [Siegel, Ellen] [Permanent Link] 



-----Original Message-----
From: Jim Fenton [mailto:fenton(_at_)cisco(_dot_)com]
Sent: Tuesday, January 08, 2008 11:14 PM
To: Siegel, Ellen
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Some concerns with SSP impact on very small
businesses

Siegel, Ellen wrote:


With SSP in play, once the ISP (e.g. yahoo.com) decides to publish

an

SSP record things start to go downhill. The above configuration will
always trigger a lookup since the signature will never come from the

ISP

domain, and the Verifier will only look for the SSP policy in the

From:

address domain (yahoo.com). Since it's unlikely that any third party
signature used by outsource.com on behalf of their customers

(whether

it's outsource.com directly, or unique signatures per-customer) will

be

included in the list of Verifier Acceptable Third Party signatures

at a

given Verifier, a record with either dkim=all or dkim=strict will

cause

the joesbikeshop email to be consistently labeled as suspicious even
though it is authenticated and even though the address belongs to

the

author of the email.



The premise here is that a consumer ISP such as yahoo.com is going
publish an 'all' or 'strict' SSP record.  I am not aware of any

consumer

ISP that, as part of its Terms of Use, requires its customers to send
outgoing mail through its mail servers.  There might be some that have
this requirement in order to do more effective outbound spam

filtering,

but I'm not aware of them.  In the absence of such a requirement, it
would be improper for these ISPs to publish an 'all' or 'strict' SSP,

as

that would be, in effect, imposing a restriction that wasn't there.
Customers sending mail using their personal addresses through their
company's mail infrastructure, or from a hotel that blocks port 25,
would have the same problem.

Hopefully the consumer ISPs will recognize this.  We need to make

every

effort to make everyone know that publishing 'all' or (particularly)
'strict' is not something that is done lightly.  I know of tools that
are under development to help domain owners know from where mail from
their domains is being sent, and hopefully this will raise awareness
too.  I expect that it will be a small but economically significant
proportion of domains that will ever be able to publish anything other
than 'unknown'.


I hope you're right, and encourage you to drive this point with the
ISPs. It would also be interesting to get some direct feedback from them
on this point- it would be useful to have some data. ISPs tend to have
concerns with abusive use of their email addresses just as many other
large brands do, so I would tend to expect them to push for at least
dkim=all publication. If it is in fact reasonable to expect that ISPs
will tend to stick to 'unknown', then the impact on these small senders
should be relatively minor. 

Ellen 


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] DKIM WG Page Messed Up?, Tony Hansen
Next by Date:  Re: [ietf-dkim] Re: Some concerns with SSP impact on very small businesses, Jim Fenton
Previous by Thread:  [ietf-dkim] Re: Some concerns with SSP impact on verysmall businesses, Frank Ellermann
Next by Thread:  RE: [ietf-dkim] Some concerns with SSP impact on very small businesses, J D Falk
Indexes:  [Date] [Thread] [Top] [All Lists]