[Top] [All Lists]

Re: SMTP and DKIM/POLICY Rejection Handling

2009-10-18 09:16:18

Alessandro Vesely wrote:

Indeed, SMTP is referenced among the *Informative References* for ADSP. It is left to the implementor's common sense to derive that temporary errors deserve a 4xx response, and that "dkim=discardable" calls for silently dropping --rather than rejecting-- a message. From a normative POV, this attitude leads to a lack of specification that may progressively thwart the design, implementation, or even installation of new mail systems.

+1.  RFC 5617 concerns is whats keeping us from implementing DKIM.

Nonetheless, it does include recommendations for handling messages such as in section 3.3:

   o  All messages from this domain are signed with an Author Domain
      Signature and are discardable, i.e., if a message arrives
      without a valid Author Domain Signature, the domain
      encourages the recipient(s) to discard it.

and section 4.2.1


     All mail from the domain is signed with an
     Author Domain Signature.  Furthermore, if a
     message arrives without a valid Author Domain
     Signature due to modification in transit,
     submission via a path without access to a
     signing key, or any other reason, the domain
     encourages the recipient(s) to discard it.

and in section 3.3:

SMTP developers could apply this at the SMTP level for systems who do not want forward/pass hostile messages to recipients.

IMHO, we need an SMTP extension that explicitly binds anti-spam checks with the appropriate SMTP behavior.

I am not sure we need an SMTP extension for this, IMO, codifying new 5321/5322 related standard track specifications could also resolve conflictive guidance for implementators.

Failed DKIM validation is to be treated as if no signature is present.

which violates RFC 5617 DKIM=DISCARDABLE policy which would justify a SMTP level rejection or POST SMTP message acception silent discard.

Actually doesn't. Broken signatures tantamount missing ones, which avoids the problem of checking whether a message had actually been remailed.

Can you elaborate?

> Alas, "dkim=rejectable" is not provided for: this is

consistent with the current trend of undermining SMTP's reliability.

So you suggest a specific "dkim=rejectable" would apply for SMTP rejects and "dkim=discardable" for post message acceptance silent discards?

I don't think domains declaring a "actionable" ADSP policy such as a DKIM=DISCARDABLE|REJECTABLE really care how a SMTP verifier deals with ADSP policy violation other than to suggest "get rid it, don't accept it" - they don't want to claim any responsibility for the broken DKIM/ADSP message and is providing explicit receiver handling suggestions.

But I agree that the RFC should correctly apply for both SMTP message handling implementation methods.


Hector Santos