On Nov 21, 2010, at 6:43 PM, Tsuneki Ohnishi wrote:
Thanks, Bill, Mark and Byung-Hee for the warm welcome.
Yes, we gotta start something somewhere and glad to
let you know that we are staring something here.
If possible, let's work together for the spread out
in eastern asia, Byung-Hee.
Well, let me give you the first feedback of what's
been discussed at the point of implementation here,
and I would like to ask your opinions.
Here is our stuation. Members of dkim.jp so far circulate
somewhat like 30% of domestic emails and a lot more forged
emails coming from overseas, especially forged @yahoo.co.jp
and @rakuten.co.jp. So with the initiative of those two
companies and others, we got together to get rid of those
forged emails.
Senders in dkim.jp are committed to attach DKIM signature
withing 6 months, and possibly ready to write their ADSP
"discardable". Since we have major ISPs on our member list
and they are very willing to discard unveryfied emails,
no surprise about it :-), we are trying to inch up to the
level where all domestic emails are signed and verified.
But there is a small problem. It is rather polical.
We have a telecommunication law that allows ISPs to discard
forged email, but our Ministry so far does not acknowledge
that failure of DKIM verification immediately equals to
forgery, because there could be other reasons to fail.
That's not political, that's technical. Mail that is validly
DKIM signed when it's sent may not be DKIM signed
when it is received.
If you discard mail that isn't DKIM signed just because
you expected it to be DKIM signed, you'll end up discarding
quite a lot of email. And the errors aren't likely to be
terribly random, rather they'll be related to particular
mail paths, so some people will see a lot of mail wrongly
discarded.
ADSP is better than SPF, but it's still not something anyone
should consider deploying widely as a primary means
of deciding to discard inbound email.
We can fight about it taking time to get through to dull
Japanese bureaucracy, but I think there is a faster way.
It is to let senders to have an option to declare that
if there is no DKIM signature at all, verifiers can discard
those messages. Then we can shut their mouths insisting
there could be other reasons.
So, my point is that what do you think of the idea to have
an new entry in ADSP "discard-if-no-sig", which allows
senders to declare messages without DKIM signature should
be discarded?
If you're just trying to stop email such as virus blowback
then something simple like that will work OK, some of the
time. It's more complex, and less effective, than other approaches
so it's not a really good idea.
But if you're trying to stop mail that's being sent by a bad
actor... give up on this approach, as it's trivial to add a "fake"
DKIM header that will not authenticate.
Also, it may discard quite a bit
of legitimate email, if any of your users subscribe to mailing
lists (some mailing list managers are likely to strip out
DKIM headers in the cases where they know they'll invalidate
them).
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html