On Mar 17, 2008, at 5:59 PM, Hector Santos wrote:
Douglas Otis wrote:
While MX and A records are used to discover inbound SMTP servers,
they can also play a role in determining whether the domain might
also be publishing DKIM related policy.
The technical reality today is such that all mail responding
software are required to follow the RFC based mail system rules for
responding to an originating address:
Use Reply-To: field. if not available, fall back to From:
DKIM permits reliance on the signing domain. Although DKIM policy is
not directly related to SMTP operations, a domain publishing SMTP
discovery records confirms the validity of the From domain, whose
policy is in question. Discovery records can be used to ascertain
whether policy should be expected, and conversely permit presence of a
policy record in the absence of MX records to disavow public use of
the domain. In addition, this disavowal is determined without
dependence upon record content.
A receiver must invest a fair amount of resources to determine DKIM
signature validity. Confirming validity of the domain prior to
cryptographic processing offers both receivers and parent domains
added protections. Of course, private relationships between
transmitter and receiver alleviates the need to confirm the
originating domain's validity and even permits use of other
transports. However, DKIM ADSP policy records should only pertain to
messages publicly delivered to SMTP related destinations. While other
protocols might be converted to SMTP, DKIM policy may interfere with
their acceptance.
In other words, in practice, the only thing that is required for a
valid response is that Reply-To works, if any and if not, then use
From:
So unless the Reply-To: header is taken into account in the "Total
DKIM+POLICY Solution", it really is not addressing the entire issue.
This is also one area I believe SENDER-ID fails with its protocol
theme of depending on some PRA that does not take into account the
Reply-To address.
Sender-ID attempts to relate PRAs with IP addresses of all SMTP
clients that might be used. This relationship depends upon heuristics
that, in some cases, conflicts with established practices and
standards. The goal of DKIM is to retain validity of the signing
domain in concert with established practices and standards. Mailing
lists that alter message content are not exceptions, but do represent
cases where policy gains importance. In this case, your concern
regarding the change made in definitions for "strict" is justified,
IMHO.
Think about it:
Assume a message gets to a user and it passes all the CBV, RBL, SPF,
SENDER-ID, DKIM, ASP POLICY tests or at least they don't raise any
red-flag, if the Reply-To field is bogus, then it may be all for
nothing. The user may be hosed.
As you have noted, a DKIM signature is able to block the use of the
Reply-To field. As trust moves to the DKIM signing domain, the domain
should not employ length parameters or leave critical header fields
open. To deal with mailing lists, the TPA-SSP draft will be updated
with a utility that generates third-party authorization labels. IMHO,
third-party authorization scales far more economically and offers a
much safer solution for mailing lists and third-party providers. The
authorization scheme is transparent to most users, however who signed
the message remains easily determined. Authorization places fewer
eggs in the same basket.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html