At 04:38 PM 10/6/2004 -0500, Seth Goodman wrote:
If I were deploying it, I would probably just accept the messages
that pass authentication and have adequate sender reputation, and
run SpamAssassin on the rest. Either way, the overhead of
signature checking trades off against some reduction in content filtering.
Interesting choice. It sounds like this uses authentication and sender
reputation as a whitelisting system. Just out of curiosity, why wouldn't
you reject on an authentication failure?
You need to consider both authentication failure (signature present but doesn't
verify) and failure to authenticate (lack of signature). It will be quite a
while before we can reject unsigned messages out of hand, except when the
asserted sending domain publishes a policy that it signs everything.
Signatures that don't verify could probably be dealt with more harshly, but
only after we have some experience showing that signature integrity isn't being
mangled in transit.
-Jim