Dave CROCKER wrote:
On 8/9/2010 11:56 PM, Murray S. Kucherawy wrote:
It's pretty universal.
wow. I had managed to miss this, particularly given the frequent
comments from folk that they wished DKIM could operate at SMTP time.
(No doubt, they'd much rather have it be useful before data transfer,
rather than after. Still, during SMTP is better than later.)
This tidbit probably needs to be touted more. Not sure how.
Probably helps to read a wider range of people comments rather than a
selected few. This has been discussed for at least a number of years,
here and in IETF-SMTP and it was discussed immensely during the Thread
Analysis and the SSP Requirements drafting helping to provide
guideline as to when a POLICY was necessary.
Keep in mind that DKIM verification is not always required when ADSP
is supported making a simple DNS lookup useful at the SMTP Level.
For example, the payload is transferred with:
From: whoever(_at_)paypal(_dot_)com
DKIM-Signature: d=someother.com
before the response is provided, the author domain, paypal.com ADSP
lookup shows DKIM=DISCARDABLE. Since the DKIM-signature domain is not
paypal.com
no need for any DKIM verification at this point because it would be a
100% zero-false positive condition for instant rejection.
On the other hand it was a 1st party header:
From: whoever(_at_)paypal(_dot_)com
DKIM-Signature: d=paypal.com
a valid 1st verification is short-circuits the need for a POLICY
lookup as it would be only possible to get a valid 1st party DKIM
signature with proper 1st party public keys.
As outlined in the SSP requirements, only when the signature failures,
can a POLICY lookup come into play.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html