On 4/30/08, Steve Atkins <steve(_at_)blighty(_dot_)com> wrote:
The NXDOMAIN thing means only one thing for a receiver. Don't
accept mail that claims to be from non-existent domains.
The reason there's discussion about it is that one of the ways
in which ADSP is iffy is that it only doesn't allow you to state
"I don't send unsigned mail from any hostname that ends
in .example.com". If your domain is example.com, and I
decide to send mail claiming to be from
mail.flooble.example.com there's no way you can publish
an ADSP record to assert that that mail isn't from you, unless
you guess the magic word "flooble".
You, of course, don't care because you know there's no
hostname or MX record for mail.flooble.example.com, so
no right-thinking recipient will consider it legitimate mail
anyway.
Thanks, that's what I thought, I think.
What if the from is a subdomain that isn't being used for mail, but
commonly exists. Let's say I set up DKIM+ADSP for spamresource.com and
mail.spamresource.com. Without any sort of tree walking, if I forget
to configure ADSP for www.spamresource.com, this could potentially get
through as "doesn't have DKIM but the domain is legit." Isn't this a
potential loophole that is resolved only by a very careful vetting of
everything in your domain tree and ensuring each hostname/zone is
configured with ADSP? Or am I wrong on that?
It seems like the treewalking would help to address stuff like this....?
Best,
Al
--
Al Iverson on Spam and Deliverability, see http://www.spamresource.com
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com -- Chicago, IL, USA
Remove "lists" from my email address to reach me faster and directly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html