We really need a FAQ for this group.
Simply publishing an ADSP record does not change this fact. ADSP can
perhaps be used productively for specific signers and verifiers, but it
does not work for all legitimate scenarios.
What does work for all legitimate scenarios?
Short answer: nothing.
Slightly longer answer: the problem with ADSP is that, based on my limited
but I think credible statistics, most people who publish ADSP don't know
what it means, so blindly following ADSP advice from random domains is
more likely to discard real mail than phishes.
There certainly are some domains that sign all their mail, don't mix
individual with transactional mail, and are phish targets. Paypal.com is
the standard example. Competently maintained lists of those domains would
provide useful advice for discarding likely phishes. Back in June I wrote
draft-levine-dbr-00, which describes Denounce-By-Reference, a simple way
to publish such lists in the DNS.
Anyone want to move it along?
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html