Suresh Ramasubramanian wrote:
On Sun, Mar 8, 2009 at 8:58 PM, MH Michael Hammer (5304)
<MHammer(_at_)ag(_dot_)com> wrote:
Suresh, notwithstanding what some vendors might wish in terms of
reputation, the case for ADSP is and always has been to leverage DKIM to
be able to say "this domain signs all mail" in one way or another.
That seems like an overly complex, rube goldbergish way to indicate
it. More like developing spf, with your sole reason being to publish
"v=spf1 -all" indicating that a domain never sends email.
And it is still not something I would trust without confirmation and
verification out of band (this, having noticed more than one wrong spf
declaration that if we'd bothered to check on in our mailserver, would
have resulted in lost mail)
Further, at least from my perspective, it is not something I would
bother to check for all but a few significant domains.
Suresh,
Opinions vary.
This would be your [local] policy, your implementation, your
operation. You nor I can't speak for others, but I hope the goal here
is to provide the standard protocol tools for vendors/implementators
to provide to their customers and operators to allow them to decide.
Here's the irony:
You just defined your own "POLICY" table - a list of significant
domains to check.
So you have your own localized table for "ADSP" lookup considerations.
I would classify this as a non-anonymous operation.
Thats hasn't been the real problem IMO. The problem is the anonymous,
the unsolicited, the other good/bad sites of the "significant" world
that may not be part of some special white/black table. If anonymous
operations was not allowed, every sender was required to authenticate,
then we probably won't be here today. But that isn't realistic to
have a close system across the board. Open SMTP is still valid for
communications.
I would agree with you that valid signatures still require help in the
area of positive reputations. But IMO, failure detection provided
with DKIM+POLICY is where you don't really need reputation.
Just consider reputation is already widely in practice in many forms.
Many believe that good signatures will not trump a bad rap and vice
a versa, bad signatures will not trump a good rap. So whats the rule
here? Does reputation trump DKIM/POLICY? Is it don't by weights? Or
some does certified trusted service govern who is good or bad?
How many times does a ADSP domain have to tell a receiver that failed
signatures or no signatures should be discarded per their ADSP? 1, 2,
5, 10 times? Why would a receiver continue to endure the overhead
when the DOMAIN with a ADSP record is tell the receiver
"Dude, do yourself a favor. Its not our mail.
I suggest you get rid of it. No need to build up
a score or pass the junk to users, and please do
not bounce it to us!"
Reputation is still open-ended. No real rules to it other than the
traditional scale/weight concepts. No standard so unless you a
promoting a single entity, a centralize service everyone can use (and
must/should use to gain any real benefit if that is what you believe),
at best, all we can do is define what is the "feed" to these
futuristic services.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html