From: Scott Kitterman [mailto:spf2(_at_)kitterman(_dot_)com]
Sent: Saturday, August 20, 2005 11:13 AM
<...>
I'm thinking of the periodically discussed op=dkim as the domain owner
asking receivers to check DKIM (go to DATA) and not reject an SPF
Fail that passes DKIM.
That's certainly on possible way to define op=*. I think of op=* as saying
that the sender always uses a given protocol for 2822, so fail the message
after data if it is _not_ signed with that protocol. For me, an SPF fail is
good enough reason for rejection before data (once the forwarding issue is
dealt with properly). Giving that up by deferring to a 2822 protocol pass
permits an attacker to mount a DKIM DDoS that doesn't even have to come from
the domain's designated sending MTA's. If you make op=* means "always uses
this 2822 protocol", then you can at least reject some of the attack before
data. If you find messages that pass SPF but don't pass the 2822 protocol,
you have identified one of the attackers and can submit that as evidence to
get their entire domain blacklisted.
--
Seth Goodman