On Jun 24, 2010, at 8:21 AM, Michael Thomas wrote:
On 06/24/2010 07:49 AM, John Levine wrote:
Are you making the assumption that all third party lists would be equally
credible? That's no more likely than all DNSBLs being equally credible.
In both cases, the good ones will make sure their data is correct,
maybe by backchannels to the underying providers (see the Spamhaus PBL
for an example of that) or by some kind of feedback watching the mail
they make assertions about. The bad ones won't do that, and won't be
useful. (See any number of useless poorly run DNSBLs for an example
of that.)
Any service that doesn't have an *explicit* guarantee from the mail
domain itself that it signs all mail is worse than incompetent,
it's harmful. A third party can *never* prove the negative that the
domain in question doesn't have sources of unsigned mail that they
don't want discarded. The domain in question without a thourough
audit probably doesn't have a clue itself if it's even vaguely
largeish.
So why does a domain that performs that painful audit and
remediation need to then tell John's drop list that it's OK to
drop unsigned mail? It doesn't. It can just publish an ADSP
record and be done with it. No need to count on some unreliable,
unaccountable point of failure to mediate their business.
The problem is that it's not possible to distinguish based solely on
self-published data the domain that's done all that work, and actually
understands the implications from the domain that's just published
an ADSP record because they'd heard it was a good idea, with no
understanding of the effect that would have on their email.
Even paypal, who are one of the main forces driving ADSP, didn't
think through the most basic implications, and caused a lot of
legitimate email that was from their domains, yet not DKIM signed
to be received. If recipient use of ADSP were widespread then
that would have been a business failure rather than just an
embarrassment.
Given that, the odds that any given ADSP-discardable record is
something that it makes operational sense to use is pretty low.
And no competent mailbox operator will want to allow untrusted
third parties to control the service they provide to their customers -
delivery of email.
A similar argument applies to third party lists, including those
run by John, ReturnPath and Spamhaus, with the critical difference
that each of those lists is a single entity, rather than the ADSP-discardable
pseudo-list, which is run by as many different people as their are
domains, so their accuracy can be tracked
over time, and their data only used once it's demonstrated itself to
be accurate enough to have operational benefits.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html