Hi,
Thanks Doug for the clarification.
So, eventhough the DKIM RFC explicitly doesn't mention the use of policy
record in the verification side, still we should query for the policy
record.
Thanks,
Deiva Shanmugam
On Tue, Aug 18, 2009 at 12:14 PM, Doug Otis
<doug(_dot_)mtview(_at_)gmail(_dot_)com> wrote:
On 8/17/09 10:00 PM, deiva shanmugam wrote:
Hi,
Could someone let me know, is querying the policy record essential for
DKIM at verification side as DKIM is derived from Domainkeys?
In RFC 4871, usage of policy record was not clearly mentioned. But in
section 6.3, the RFC says "when communicating with a peer who, by prior
agreement, agrees to only /send signed messages/" and in section 8.4,
RFC says "A second security issue related to the DNS revolves around the
increased DNS traffic as a consequence of fetching selector-based data
as well as /fetching signing domain policy/." So, i'm not sure whether
the policy record in DNS TXT record in _domainkey.<domain_name> need to
be queried for DKIM?
Some might view policy records as a means to offer advice in creating
phished lists. These lists identify domains suffering from being spoofed,
where such policy records grant permission to reject non-compliant messages.
Some receivers might discard non-compliant messages, which of course could
place messages forwarded through a mailing list at risk.
These records are unlikely queried on a per message basis at some negative
caching rate, as this would be needed for every email domain, and not just
for those with a DKIM signature. Instead, a periodic sampling of DKIM
domains or a third-party service could consolidate into a list the domains
in need of stringent handling from those that have been seen using DKIM.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html