MH Michael Hammer (5304) wrote:
It also seems that the number of domains who want this will likely be
a small fraction of the total number of domains, and likely a small
fraction of the number of emails sent.
That may be true today but may not be true tomorrow.
Besides the fact you can't design a public protocol starting with a
discrimination model, all must be applied using the same public
protocol, same rules, whether its true or not, this may be exactly the
segment of people who will benefit the most from DKIM+POLICY.
But even then, the BIGGER domains are also needing protection.
Gmail.com sends millions of messages per day now signed when you are
on GMAIL.COM.
I can use the same gmail.com junk mail account across other sites and
I do so very very loosly because I don't care - its a junk address.
So GMAIL.COM, in my view, as a public free service email model does
not benefit with ADSP for their branded domain because its potential
is high for a "Cry Wolf" effect - high potential for failure at
receivers, hence receivers will have a tendency of ignoring it.
But there are people and companies that use Google Apps seriously and
their gmail.com is important to them.
Now, there is another solution that the Google developer mindset might
consider in the area of WEB SERVICES. Each gmail user can have its
own LOOKUP policy setting
[X] I only use GMAIL Online to create mail. Never outside.
Now GOOGLE can publish a REST web server user DKIM lookup protocol
that is not DNS based. The have tons of REST web service user lookup
functions already so this one would be a simply addition. This will
allow receivers who get email from a purported GMAIL.COM account to
support what I would call:
GUSP (GMail User Signing Policy) Protocol.
http://gusp.gmail.com?user=xxxxxxxx
It can be done as a fast SMTP callout and the call response will be
200 (GMAIL_ONLY) or (403) OPEN and certainly, the receiver can cache
this for some TTL.
Now all receivers will be able to protect GMAIL.COM accounts,
disseminate the junk spoofing that is rampant today for all these free
ESP domains.
So get busy google and write that GUSP I-D! and get a leg up on their
competitives! Add value to GMAIL.COM commercial usage with DKIM/GUSP
protection.
(Other information could be communicated in-band in the same way -
including "we're no longer dkim signing every email sent").
Why not include both options (trying to be flexible here)? If one looks
at Daves affilias proposal, some receivers might choose to check for
ADSP records against some arbitrary list of domains (all registered
financial institutions for example).
No public standard protocol will work well if its done on a
discriminatory basis. Some group will be hurt by this way of
designing a protocol and history has shown that when you intentional
neglect something believe it will have a low impact, it is among the
first things that is exploited.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html