spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] DKIM modifier

2005-09-12 11:44:49
from [Scott Kitterman] [Permanent Link] 
On Mon, 12 Sep 2005 15:52:59 +0200 Julian Mehnle <julian(_at_)mehnle(_dot_)net> 
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:

Scott Kitterman wrote:

SPF + DKIM by itself can never reject before DATA.


That's a new idea.  My naive concept of SPF + DKIM was:

- reject on FAIL (otherwise it's no SPF as specified)
- optionally (your proposal) byPASS DKIM for PASS
- normal DKIM for the rest (at least for NEUTRAL)


This leads to an interesting question:

There are two variants: (a) SPF and DKIM both are _required_ for a message 
to pass, or (b) SPF and DKIM each are _sufficient_ for a message to pass.

Would it be useful to allow the _domain_owner_ to specify which variant 
they prefer?

Both SPF and DKIM tighten up the mail system's rules in their own ways for 
those who choose to participate.  Meng Weng Wong has long been advocating 
variant (b)[1,2] with the intent to solve the "forwarding problem".  The 
problem with this however is that the assertions made by successful SPF 
and DKIM checks are not exactly equivalent.  SPF (like Sender ID) says: 
"The last hop, i.e. the calling IP address, was allowed to use the sender 
domain", while DKIM says "The message has, at some time, passed through 
an MTA of the sender domain".

As a result I don't think that variant (b) is "the right thing to do".


DKIM has 1st party signatures and 3rd party signatures.  WRT 3rd party 
signatures I agree.  For 1st party with appropriate Sender Signing Policy 
(SSP) I think it's different.


Also, assuming we allowed "the domain owner" to specify which variant they 
prefer, there is always the possibility that the SPF domain doesn't match 
the DKIM domain (i.e. MAIL FROM:<lamer(_at_)aol(_dot_)com>, Sender: 
snake(_at_)pit(_dot_)com).


This why 1st party only I think.


In that case, should the SPF domain owner be allowed to specify that the 
authenticity (yeah, go ahead and stone me to death) of the DKIM domain 
should or should not be checked?

Anyone replying to this message, please keep thinking ahead.  We need to 
explore this area more.


Yes. More thinking definitely needed.  I'm certainly not sure.

Scott K

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [spf-discuss] DKIM modifier, Scott Kitterman <=
Previous by Date:  Re: [spf-discuss] Re: DKIM modifier, Scott Kitterman
Next by Date:  Re: [spf-discuss] solving the forwarding problem, Theo Schlossnagle
Previous by Thread:  Re: [spf-discuss] Re: DKIM modifier, Scott Kitterman
Next by Thread:  [spf-discuss] FTC email authentication test results, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]