[Top] [All Lists]

Re: DKIM and authentication

2006-11-01 01:46:51

John C Klensin wrote:
While this is interesting as Dave points out it is probably not
the right place to debate it.

It's about "drop" vs. "reject".  When Doug talks about "message
annotation" I think it's in practice "drop" for anybody who hasn't
the time to check "annotated messages" manually. 

And when he talks about "acceptance on a limited basis" I think
it's in practice "reject", at best TempFail.

Those promises clearly stressed that DKIM was appropriate as a
reputation check by the delivery MTA or target user MUA, but
not as a means of authenticating senders and rejecting mail in

| Taken together, these will assist receiving domains in detecting
| (or ruling out) certain forms of spoofing as it pertains to the
| signing domain.

"Ruling out" can be "reject" or "drop", it's in the DKIM Charter.
The only reliable way of "ruling out" is "reject at the border MX".

Anything "annotated" is a black hole, and any later rejects could
cause bounces to random addresses - unless it's limited to traffic
from 4409 6.1 MSAs and/or SPF PASS and/or old RFC 821 reverse path
routing buried under tons of SHOULD NOT and/or some crystal ball
I've not heard of.


<Prev in Thread] Current Thread [Next in Thread>
  • Re: DKIM and authentication, Frank Ellermann <=