Frank Ellermann wrote:
Actually a SPF PASS has one feature that a DKIM PASS doesn't
have: You can simply challenge an unknown SPF PASS. Whatever
the effect might be, it won't hit an innocent bystander. So
SPF PASS has value without complex "reputation" solutions, a
white list is good enough.
And THAT is exactly the point. There are those on the DKIM list that
are trying to make sure that DKIM won't mean a thing without their
proprietary Vodoo.
The Sender Signing Policy (SSP) can fix that if we do it right.
There are more threats out there to the future of free/open e-mail than
just patents.
Right. We use SPF because we know that SPF implementations are going to check
and respect my SPF domain sender machine policies. If there was even A LOOP
HOLE into that basic fundamental concept, I would not had bothered with SPF.
Whats the point? Why should my MTA DKIM sign outgoing messages if there is NO
assurance (specification wise) that a DKIM receiver is going to check my
SIGNING Policy, especially check for 3rd party signatures?
Its unbelievable what's going on in that DKIM forum. What an unfortunate waste
because DKIM has a potential of offering a solid foundation to resolve phishing
and spoofing issues that get pass the SMTP level. And you know I won't say that
unless I meant it.
But nooooooo! They don't want to "associate" it as a ANTI-SPOOF/PHISH solution.
This "double talk" marketing angle is doing nothing more but hurt its
potential.
Also consider, DKIM is not for everyone. The biggest benefactors will be
systems with HIGH VALUE email (banks, ecommerce, etc). I see no value for a
MAILING LIST, unless this MAILING LIST is commercial SPAM from a BANK with a
contract with users anyway.
But nooooooo! DKIM has to work across the board and that isn't going to
happen. You really can't have it both ways with something like DKIM. It
can't be relaxed. 3rd parties can work, but all parts must do double checks.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com