John Levine writes:
As you say, merely having a DKIM signature tells you nothing, but
after you watch a mail stream for a while, you see that some DKIM
signers send clean mail and some send lousy mail and adjust your
filters appropriately.
To me that's not fundamentally different from filtering based on the sending
IP address.
I do not see both bad and clean mail coming out of the same IP address,
differing only in the sending domain. In that situation, and where the
signatures are applied by the mail host to their users, then I could see
this argument.
I should clarify this. I see that occasionally. But when it does, I seem to
always end up moving my goalposts, and conclude that the mail provider
itself is rogue, and made a business decision to go into the business of
providing spam outsourcing services, with some non-spam mail services on the
side. So I treat it as a bad mail source.
Ss long as mail recipients are willing to tolerate spam-friendly mail
service providers, and relying on the domain signature to filter out their
spamming customers, this situation will never change.
I don't accept the premise that accepts bad and clean mail coming out of the
same IP address using "oh well just use a domain signature" as a solution.
Large mail systems all do this. We hoped that
there would be shared DKIM reputation lists like there are shared IP
lists but so far that hasn't happened.
This is never going to happen. Domains are relatively cheap. If a domain
acquires negative social credit it'll be discarded and replaced by a new one.
The original point of DMARC was for B2C or B2B mail from heavily
phished domains like Paypal, that could say please discard anything
from us that fails DMARC and we understand that might be some real
mail. (All of Paypal's mail just says "something happened, look at our
web site".) It still works pretty well for that.
Eh, no. A large majority of user-facing mail clients are now hiding the
sending mail address, and showing only the name, up front.
From: "Paypal Customer Service" <kjsdfjklk(_at_)934iowero(_dot_)us>
Most people will see "Paypal Customer Service". Valid domain signature for
934iowero.us, and straight it goes into your Inbox.
pgpNEzWt5xrNG.pgp
Description: PGP signature
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp