Alessandro Vesely wrote:
Indeed, SMTP is referenced among the *Informative References* for ADSP.
It is left to the implementor's common sense to derive that temporary
errors deserve a 4xx response, and that "dkim=discardable" calls for
silently dropping --rather than rejecting-- a message. From a normative
POV, this attitude leads to a lack of specification that may
progressively thwart the design, implementation, or even installation of
new mail systems.
+1. RFC 5617 concerns is whats keeping us from implementing DKIM.
Nonetheless, it does include recommendations for handling messages
such as in section 3.3:
o All messages from this domain are signed with an Author Domain
Signature and are discardable, i.e., if a message arrives
without a valid Author Domain Signature, the domain
encourages the recipient(s) to discard it.
and section 4.2.1
discardable
All mail from the domain is signed with an
Author Domain Signature. Furthermore, if a
message arrives without a valid Author Domain
Signature due to modification in transit,
submission via a path without access to a
signing key, or any other reason, the domain
encourages the recipient(s) to discard it.
and in section 3.3:
SMTP developers could apply this at the SMTP level for systems who do
not want forward/pass hostile messages to recipients.
IMHO, we need an SMTP extension that explicitly binds
anti-spam checks with the appropriate SMTP behavior.
I am not sure we need an SMTP extension for this, IMO, codifying new
5321/5322 related standard track specifications could also resolve
conflictive guidance for implementators.
Failed DKIM validation is to be treated as if no signature is present.
which violates RFC 5617 DKIM=DISCARDABLE policy which would justify a
SMTP level rejection or POST SMTP message acception silent discard.
Actually doesn't. Broken signatures tantamount missing ones, which
avoids the problem of checking whether a message had actually been
remailed.
Can you elaborate?
> Alas, "dkim=rejectable" is not provided for: this is
consistent with the current trend of undermining SMTP's reliability.
So you suggest a specific "dkim=rejectable" would apply for SMTP
rejects and "dkim=discardable" for post message acceptance silent
discards?
I don't think domains declaring a "actionable" ADSP policy such as a
DKIM=DISCARDABLE|REJECTABLE really care how a SMTP verifier deals with
ADSP policy violation other than to suggest "get rid it, don't
accept it" - they don't want to claim any responsibility for the
broken DKIM/ADSP message and is providing explicit receiver handling
suggestions.
But I agree that the RFC should correctly apply for both SMTP message
handling implementation methods.
--
Sincerely
Hector Santos
http://www.santronics.com