John L wrote:
My expectation is that a large majority of domains that would publish
strict SSP policies would be small mail systems with no more forgery
problems than anyone else, but an exaggerated idea of their own
importance.
I'm sorry, but is it just your peevishness about their perceived
self-importance? What difference does it make if they aren't as
important as they think they are? How is that negatively affecting
you?
My understanding is that the point of publishing SSP is to help mail
recipients filter their mail better, where the only useful meaning of
better is that it makes the recipient users happier.
Well, that applies to any filtering concept in general - hence the term
filtering.
To me, SSP is related to the DKIM-BASE "promotion" for a new level of
operations and expectations.
The DKIM-BASE presumption is such that all mail is going to be signed or
not signed and that the receiver should make new assertions about the
valid DKIM-BASE signed mail.
The problem is two folds:
- Was it authorized (signed) by the right person?
- Was it REALLY not signed (as opposed to failed) at all?
The idea that a receiver should just apply special DKIM considerations
to valid signed mail and ignore the "Same Considerations" when they are
not signed, just accept it as it was legacy stuff, is unacceptable in my
book.
This can only only be resolved by what is expected by the "domain
owner." That expectation has to come from somewhere.
In my opinion, it boils down to:
a) Some believe that come from a non-standard TRUST service
(another form of SSP, but limited only to those who are
members of the TRUST server).
b) A "batteries not required" industry standard SSP approach
which allows the DOMAIN itself to define the expectation.
The first methods can offer both merged "POLICY" and "REPUTATION" logic.
The latter is simply about DKIM-BASE protocol consistency. In lieu of a
white/black list, no reputation is considered. Everyone is viewed the
same way.
The first has limited effectiveness since it is secluded to member
records only and it has NO logic for unsigned mail signatures. This
will not allow receivers to cover DKIM across the board. i.e, it doesn't
address the legacy market - where the majority of abuse is located.
The latter has the potential to be vastly effective since no special 3rd
party membership is required and MOST of the abuse occurs when they is
protocol inconsistency. This will allow receivers to cover DKIM across
the board.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html