Also realize that this isn't "Gmail shouldn't sign spam", it's everyone who
normally has a good reputation needs to not sign spam, this is a way to
steal reputation from any service allowing you to choose your own message,
and can be used against any mail receiver.
That said, I think this proposal mostly duplicates spf with some small
benefit, but one can combine the spf and dkim signals to try to combat this
issue without introducing a new standard. Forwarding will take the worst
hit in false positives, but things like arc may help with that issue
separately.
Brandon
On Nov 17, 2016 12:57 PM, "Murray S. Kucherawy"
<superuser(_at_)gmail(_dot_)com> wrote:
On Thu, Nov 17, 2016 at 9:51 PM, Michael Storz
<Michael(_dot_)Storz(_at_)lrz(_dot_)de>
wrote:
Thanks, I see. That means the recipient is bound to the message and an
attacker cannot delete or change the new tags. Great solution, I like it,
though I do not like the consequences when this extension will go into
production.
You may not need to worry about that. We've reached a point where I think
we can legitimately say, "We took a serious look, and this is the best we
could come up with. It has some pretty ugly side effects. Are you sure
you can't just stop signing spam?" And absent a compelling answer to that
question, there's no need to roll this out even as an experiment.
-MSK
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html