[Top] [All Lists]

DKIM and authentication (was: Re: Anything else on the content?)

2006-10-31 14:17:53

--On Monday, 30 October, 2006 14:57 -0800 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org> wrote:

One more note supporting the concept of a mechanism for

A DKIM signing-domain should relate to the sending entity to
beuseful at reducing abuse.  The entity held accountable by
their IPaddress should receive relevant abuse feedback
validated by the DKIMsignature.  Thus the DKIM signature may
typically not match the2822.From or the 2821.MailFrom where an
association mechanism can beused instead.  As a DKIM signature
can be replayed, DoS protectionsare found by an association of
the SMTP Client with the DKIMsignature.  Messages where the
SMTP-Client/Signing-domain && Signingdomain/MailFrom can not
be associated, then acceptance should be on alimited basis.
The limitation could be rate limiting for example. An
association mechanism also removes any need for private keys
orDNS zones to be exchanged between domains.


While this is interesting as Dave points out it is probably not
the right place to debate it.   However, I feel obligated to
point out that you are on a slippery slope relative to the
promises made to the IETF when the DKIM effort was chartered.
Those promises clearly stressed that DKIM was appropriate as a
reputation check by the delivery MTA or target user MUA, but not
as a means of authenticating senders and rejecting mail in
transit.  I think the above, in the context of the note that
apparently stimulated it, comes very close to assertion of
precisely that sender authentication and, potentially, rejection


<Prev in Thread] Current Thread [Next in Thread>