spf-discuss
[Top] [All Lists]

Re: [spf-discuss] DKIM modifier

2005-09-12 06:53:41
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
Scott Kitterman wrote:
SPF + DKIM by itself can never reject before DATA.

That's a new idea.  My naive concept of SPF + DKIM was:

- reject on FAIL (otherwise it's no SPF as specified)
- optionally (your proposal) byPASS DKIM for PASS
- normal DKIM for the rest (at least for NEUTRAL)

This leads to an interesting question:

There are two variants: (a) SPF and DKIM both are _required_ for a message 
to pass, or (b) SPF and DKIM each are _sufficient_ for a message to pass.

Would it be useful to allow the _domain_owner_ to specify which variant 
they prefer?

Both SPF and DKIM tighten up the mail system's rules in their own ways for 
those who choose to participate.  Meng Weng Wong has long been advocating 
variant (b)[1,2] with the intent to solve the "forwarding problem".  The 
problem with this however is that the assertions made by successful SPF 
and DKIM checks are not exactly equivalent.  SPF (like Sender ID) says: 
"The last hop, i.e. the calling IP address, was allowed to use the sender 
domain", while DKIM says "The message has, at some time, passed through 
an MTA of the sender domain".

As a result I don't think that variant (b) is "the right thing to do".

Also, assuming we allowed "the domain owner" to specify which variant they 
prefer, there is always the possibility that the SPF domain doesn't match 
the DKIM domain (i.e. MAIL FROM:<lamer(_at_)aol(_dot_)com>, Sender: 
snake(_at_)pit(_dot_)com).

In that case, should the SPF domain owner be allowed to specify that the 
authenticity (yeah, go ahead and stone me to death) of the DKIM domain 
should or should not be checked?

Anyone replying to this message, please keep thinking ahead.  We need to 
explore this area more.

References:
 1. http://spf.pobox.com/slides/unified%20spf/0434.html
 2. http://spf.pobox.com/slides/motherzombie/0221.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJYg8wL7PKlBZWjsRAkmCAKCnGHk+pEuO8K8tr3c0RcDc+Am1bQCgjbR6
fvHLsRIk7l1j6gM60l/T3b0=
=YnNP
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>