John L wrote:
How does an SSP-like protocol do that? Assertions like "I am a phish
target" don't do it.
Why not?
Because you (the generic you, whoever publishes SSP) aren't credible
short of some reputation system which would make SSP irrelevant anyway.
Depends on the nature of the assertion. If the assertion is "I'm a good
guy" or "I send virus-free messages" the receiver isn't likely to
believe me. If the assertion is "Be very careful about messages coming
from my domain", why shouldn't the receiver pay attention to that?
It's fine to make statements about your own practices, like "I sign
everything" or "All of my mail is composed in iambic pentameter" since
that reflects things you have control over. Claiming you're a phish
target is making assertions about the behaviors of zillions of other
senders who you don't even know.
With respect to a domain likely to use SSP (such as a domain used only
for transactional messages), who are these zillions of other senders,
and why should that domain be concerned about them?
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html