Wietse Venema wrote:
Wietse Venema wrote:
a) DKIM is for declaring the presence of an accountable identity.
If a signature is present, you know something. If it is absent,
you know nothing extra.
b) ADSP attempts to tell you something, in the absence of a
signature. It does that by defining something else that must be
present. If the ADSP record is present, you know something. If
it is absent, you know nothing extra.
c) Checking for the presence of [any DNS] record is intended to try
tell you something in the absence of an explicit action by the
domain owner. That's it's flaw: It is intuiting ADSP information
from non-ADSP action.
To clarify a perhaps overlooked point: the existence of [any DNS]
record for the Originator domain does NOT imply that it is a valid
email origin. If the record is absent, then we know nothing that
the absence of the ADSP record for that domain didn't already tell
us. Any suggestion to the contrary is probably a mistake.
Jim Fenton:
ADSP is doing the converse of that: it takes the non-existence
of [any DNS] record for the Author Domain as an implication that
it is NOT a valid email origin, or more accurately reports if that
is the reason there isn't an ADSP record for that domain.
The problem is that "valid email origin" is a subset of all the
names that resolve in the DNS. In other words, there are false
positives in the algorithm that continues when [any DNS] record
lookup succeeds.
That's true; that's why the result from ADSP in this case is, or should
be, "Unknown". But I don't see that in the spec; it simply indicates
that no ADSP record was present, and the spec isn't giving enough
guidance about what to do in that case. In ssp-01, it had said
"non-suspicious" in this case, and apparently this got lost when
suspiciousness was removed.
Thanks for spotting that.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html