-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Michael Thomas
Sent: Thursday, June 24, 2010 12:53 PM
To: Martijn Grooten
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim]New Version Notification for draft-levine-dbr-
00(fwd)
On 06/24/2010 08:45 AM, Martijn Grooten wrote:
So why does a domain that performs that painful audit and
remediation need to then tell John's drop list that it's OK to
drop unsigned mail? It doesn't. It can just publish an ADSP
record and be done with it. No need to count on some unreliable,
unaccountable point of failure to mediate their business.
What if it publishes an ADSP record but doesn't understand the
implications? Because, for instance, they send a lot of email to
mailing
lists. Or because to some emails, an MTA adds some blurb to the body
after
the DKIM signature has been computed. Or because they forget that in
some
(rare) cases they do not sign their email. (The latter happened to
GMail
who, without having published an ADSP record, had said that all of
their
email was DKIM-signed. Some of it wasn't. At least one commercial spam
filter used GMail's claim to block unsigned email coming from GMail.)
There are an infinite number of ways to shoot yourself in the foot.
They could also stop signing with DKIM on weekends so they can give
their DKIM signers some well earned rest and relaxation too.
So my view of the service being discussed here isn't one where some
guy
in upstate NY claims to have full knowledge of which domains DKIM-sign
all
their outbound email. Rather, it's a service where the manager of the
service uses claims made by the sender about whether they sign all of
their email and then only lists those domains that know what their
doing.
In this instance, not even the guy in upstate NY can keep things
straight
with his
own small database.
I come in to the fray on the side of Michael. +1
If an organization doesn't understand the implications of publishing
ADSP (or doing anything else for that matter) then the basic damage done
is to themselves and their users. Their domain, their problem.
The case where a domain owner contracts with 3rd parties such as eCert,
Authentication Metrics, Return Path, Truedomain or others means that the
3rd party is acting on their behalf. If the 3rd party gets it wrong in
this case then it is a contractual issue between the sending domain and
the organization they contract with.
When random 3rd parties start publishing about domains that is a real
problem. If a random list publisher tells people to drop unsigned mail
by a particular domain - particularly in the absence of an ADSP record -
there is the possibility of them getting sued. This is a significantly
different case then something like SPAM and RBLs.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html