Ian Eiloart wrote:
There is NO filtering usefulness using DKIM as it is
not reputation based. It does give one the ability to slow
down spoofing. If the signature matches then indeed the sending
ISP did in fact send it
But what if it didn't match? Do you continue sending potentially
spoofed mail?
Actually, there is filtering usefulness in DKIM, because it can be used
in conjunction with a reputation database.
Do you mean in lieu of Reputation Information? Because the question
above is when it doesn't match.
I just have a problem received two messages:
MSG #1: From: someone(_at_)domain(_dot_)com
DKIM-SIGNATURE: .....
MSG #2: From: someone(_at_)domain(_dot_)com
(NO DKIM-SIGNATURE)
And MSG #1 is whitelisted with confidence and MSG#2 is passed anyway,
even if its has been assigned initial dirty score with it, passed to
users to make a decision themselves. That is a very risky think to
pass on to MUAs, especially OFFLINE MUAS where you have no real
control of what they in mail presentation.
Whatever this "REPUTATION" IDEA is, it still needs some "bit" that it
expects "something" about domain.com having a signature, right?
I don't see a difference with REPUTATION with regard to the same
issues people complained about SPF or ADSP:
known reputation - make a hard decision - GOOD CITIZEN MODEL
unknown reputation - soft failure? or Neutral? or Reject?
Do you see a difference? I don't other than one group wants to accept
the unknown (or learn the badness of the message, if your lucky to
accumulated repeated scoring) and the other group wants to do
something about it.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html