--On 13 October 2009 23:07:58 +0000 John Levine <johnl(_at_)iecc(_dot_)com>
wrote:
This is really much simpler than you're making it out to be.
I understand the issue here, but part of the point of DKIM/ADSP is to
allow automated systems to assign reputation to an email domain or
email address - a byte string.
For DKIM, that's basically right, it ties a domain to a mail stream so
receivers can assign a reputation to the mail stream. For ADSP that's
completely wrong, all it does is allow senders to make assertions that
receivers may or may not find credible or useful, but that have
nothing at all to do with managing the mail stream's reputation.
(Remember that ADSP only applies to mail not in the signed mail
stream.)
OK. What ADSP adds is the ability to assign reputation to a specific email
claiming to originate from a specific domain. Except for "unknown".
It might be nice if paypal could publish in the DNS a set of related
domains, that it is willing to share the reputation of paypay.com
Why would they do that?
For brand reputation protection - you've cut the relevant quote that I was
responding to. It's not really a DKIM issue, but if I get email from
paypal.co.uk, then how do I determine whether that email is from paypal?
Nothing in the paypal.com ADSP records tells me anything about that domain.
I don't know whether to expect email from it. The absence of DKIM and ADSP
records tells me nothing.
My idea is that a company might publish an exhaustive list of domains that
they use, so that I can automatically detect domains that may be attempts
to defraud recipients. I'd probably only apply this to high value domains,
but the algorithm would look like this: "if the domain is similar to, but
different from PAYPAL.COM, then bump up the spamassassin score". After all,
that's what we hope that users will be doing when reading messages.
Remember that DKIM is not SPF nor Sender-ID,
and you can put your domain's signature on any mail you send. Paypal
signs their mail with paypal.com. If I send you a Paypal payment,
they will send you a mail with my return address announcing the
payment. That message is signed with d=paypal.com because Paypal
takes responsibility. (They really do this, I just tried it.)
They use a third party return-path? Presumably not, with the implications
for domains that publish spf -all records. Or you mean some message header?
The From: header? That would have ADSP implications.
Positive reputation could flow from paypal.com to the shared domains,
and negative reputation in the reverse direction.
Positive reputation flows from paypal.com to the mail they sign. If you
think they need a lot of signing domains, you're misunderstanding the
way that DKIM works.
Actually, that isn't something that occurred to me, but it's useful to
know.
R's,
John
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html