So my view of the service being discussed here isn't one where some
guy in upstate NY claims to have full knowledge of which domains
DKIM-sign all their outbound email. Rather, it's a service where the
manager of the service uses claims made by the sender about whether
they sign all of their email and then only lists those domains that
know what their doing.
Why not have a negative service then?
John's list can refute an ADSP of "at risk" domains by including a
link of an exemplar unsigned email (ironically provable via SPF if
necessary...)
Sortof assume ADSP competence until shown otherwise rather than
assumed incompetent until judged otherwise?
That list would then be quite valuable as a way of letting such
domains know that they are vulnerable *and* where their leak is.
dig paypal.com._whatever... txt
atRisk=y; claimsADSPAll=y; counterExample=http://....
Conceivably "at risk" domains would first submit themselves to such a
service and ask it to discover and publish (and/or feedback) counter
examples.
Since all you need is one counter example, getting 20 or 30 large,
trusted mail providers to participate in identifying such emails and
domains should be able to know pretty quickly when something has gone
awry with their IT audit.
John's list then simply becomes a focal point of discovery rather than
a judgment call.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html