spf-discuss
[Top] [All Lists]

Re: op=dkim

2005-06-03 13:56:33
Terry Fielder wrote:
 
You would then also have to EVALUATE the dkim else the
spammer could put any dkim look alike string in there

Yes.

(or did you intend to imply that).

I stay as far as possible away from any "receiver policy" ;-)

Unless Wayne removes his investigated PermError SMTP DSN codes
without technical reasons from the SPF spec., keeping all other
codes (TempError, SoftFail, Fail), that's too obviously FUBAR.

And if one EVALUATE's dkim, then it is beyond the scope of
the SPFv1 spec.

Sure, but see Andy's construct in the spf-considerations-00.txt
"7.2  Use of Other Authentication Schemes":

| There do exist scenarios where mail administrators do not wish to
| subject their email practices to SPF checks but do wish to offer an
| affirmative acknowledgment of the practice of using SPF.  Such a
| scenario would be email sending domains that wish to rely on other
| authentication schemes, such as cryptographic-based signature
| schemes.

| This is easily accomplished with the exclusive use of the "all"
| mechanism using the pass result.  Such as:
|     v=spf1 +all

Now I'm not saying that this is a good idea, but a policy like
"v=spf1 op=dkim ?all" could actually mean something.

If some stupid spammers start to use bogus DKIM signatures they
would face similar problems as with forging the MAIL FROMs for
SPF FAIL policies.
                            Bye, Frank