I've been trying to find _adsp records, and there's precious few of
them. Of the 73 domains that have sent me DKIM signed mail recently,
three have dkim=unknown, two have dkim=all, and the other 68 have no
ADSP. The two with dkim=all are both tiny personal domains with only
a single user. I checked obvious candidates that do sign all their
mail and could be considered phishing targets such as paypal.com,
ebay.com, ag.com, and cisco.com, and found no ADSP.
So the implementation experience is, to put it generously, pretty
sparse. Between the lack of experience and the serious design
problems that a significant number of people in the DKIM group find in
ADSP, it seems like a very poor candidate for standardization in its
current form.
If it were up to me, I'd forget about it for now, get more experience
with DKIM, and try dropping unsigned mail from places like paypal.com
and ag.com to see how much difference it makes and how many of their
signatures break. (Since Paypal and AG each send mail from a small
set of easy to identify servers, you can generally look at mail with
broken signatures and tell whether it's real anyway.) When we have a
better understanding of how people use DKIM, how the various
identities are used, and how signatures break, maybe then we can
consider whether there are self-assertions that would be useful to
receivers.
Since there seems to be a faction that is nonetheless eager to publish
something about ADSP, an Experimental RFC would better reflect the
reality of the situation, since ADSP in its current form really is
just an experiment.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html