-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frank Ellermann wrote:
Scott Kitterman wrote:
SPF + DKIM by itself can never reject before DATA.
That's a new idea. My naive concept of SPF + DKIM was:
- reject on FAIL (otherwise it's no SPF as specified)
- optionally (your proposal) byPASS DKIM for PASS
- normal DKIM for the rest (at least for NEUTRAL)
This leads to an interesting question:
There are two variants: (a) SPF and DKIM both are _required_ for a message
to pass, or (b) SPF and DKIM each are _sufficient_ for a message to pass.
Would it be useful to allow the _domain_owner_ to specify which variant
they prefer?
Both SPF and DKIM tighten up the mail system's rules in their own ways for
those who choose to participate. Meng Weng Wong has long been advocating
variant (b)[1,2] with the intent to solve the "forwarding problem". The
problem with this however is that the assertions made by successful SPF
and DKIM checks are not exactly equivalent. SPF (like Sender ID) says:
"The last hop, i.e. the calling IP address, was allowed to use the sender
domain", while DKIM says "The message has, at some time, passed through
an MTA of the sender domain".
As a result I don't think that variant (b) is "the right thing to do".
Also, assuming we allowed "the domain owner" to specify which variant they
prefer, there is always the possibility that the SPF domain doesn't match
the DKIM domain (i.e. MAIL FROM:<lamer(_at_)aol(_dot_)com>, Sender:
snake(_at_)pit(_dot_)com).
In that case, should the SPF domain owner be allowed to specify that the
authenticity (yeah, go ahead and stone me to death) of the DKIM domain
should or should not be checked?
Anyone replying to this message, please keep thinking ahead. We need to
explore this area more.
References:
1. http://spf.pobox.com/slides/unified%20spf/0434.html
2. http://spf.pobox.com/slides/motherzombie/0221.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJYg8wL7PKlBZWjsRAkmCAKCnGHk+pEuO8K8tr3c0RcDc+Am1bQCgjbR6
fvHLsRIk7l1j6gM60l/T3b0=
=YnNP
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com