If the policy adoption level is so low and indecisive ("unknown") how
can mail receiving domains detect spoofing on all but the ~0.1% of
domains that deploy policy other than "unknown"? Even on the ~0.1%
what action can they take when signature breaks are common?
This line of discussion has been rehashed many, many, many times
already, so it would be a good idea to look at the archives.
Short summary: DKIM and ADSP offer no meaningful defense against spoofing.
* A few domains are spoof targets, but the vast majority are not. For
that vast majority, even if they do try to sign their mail, the myriad
ways that legit mail can arrive with a broken signature makes it a
poor practice for recipients to do anything with a broken or missing
signature other than ignore it.
* At this point, the only significant spoof targets that sign all
their mail are Paypal and ebay. If you want an ADSP-like feature in
your spam filters, you're better off just checking those domains than
checking everyone who imagines that they are a) a target and b) sign
all their mail.
* Bad guys can and do trivially circumvent any ADSP-like feature by
using lookalike domains, from line comments that resemble e-mail
addresses, and a variety of other well known techniques.
The way DKIM can be useful to deter phishing is by helping recipients
to recognize the small fraction of mail that is good, not the vast
flood of bad mail.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html