On 11/22/10 9:25 AM, Steve Atkins wrote:
...
But if you're trying to stop mail that's being sent by a bad
actor... give up on this approach, as it's trivial to add a "fake"
DKIM header that will not authenticate.
Also, it may discard quite a bit
of legitimate email, if any of your users subscribe to mailing
lists (some mailing list managers are likely to strip out
DKIM headers in the cases where they know they'll invalidate
them).
Agreed. DKIM does not offer a comprehensive method to qualify the source
of a message. Extensions, such as the TPA-Label scheme, could extend
signing policy to include other authentication and authorization methods
and retain delivery integrity. ADSP using just DKIM is likely to cause
a significant loss of legitimate email, especially when DISCARDABLE is
asserted.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html