Does it follow, then, that the Right Thing to do is to avoid
building any other parts of the system (even, say, the reputation
service query protocol) until the easiest part is finished?
If we knew what to build, we'd build it.
We published RFC 5518 for VBR, a reputation system that sits on top of
DKIM, two years ago. At this point I know of only one small VBR
provider, which I manage.
Also, even without general reputation systems, there are special cases
that are worth doing, e.g., there's a handful of large heavily phished
domains that sign all their mail, notably paypal.com and its ccTLD
variants. For a medium or large mail system, it's worth adjusting the
spam filters to throw away mail purporting to be from Paypal that
doesn't have a signature.
R's,
John
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf