spf-discuss
[Top] [All Lists]

[spf-discuss] Re: DKIM modifier

2005-09-13 01:00:07
Scott Kitterman wrote:

DKIM and SPF both have a hard spot to get around.  DKIM fails
on mailing lists that modify messages (almost all of them)
and SPF fails on forwarders that don't do SRS (or some other
solution even less likely to be seen in the wild today)
[...]
Finding a way to combine the results to cover the weaknesses
of each if, I think, an interesting and worthy problem to
solve.

Personally I've a problem with the latter:  So far I'm not yet
convinced that DKIM really is a good idea.  If it's only what
Doug envisions - arbitrary entity on the route signs whatever
it got, declaring its "accountability" (= "trust me, it was
already spam when it arrived here" ;-) - it's not very "sexy"
for me:  SpamCop does a good job to detect some abuse report
addresses without DKIM.

It starts to get more interesting with SSP if the "arbitrary
entity" is in fact the MSA of the sender, and the sender can
somehow state that everything else claiming to be from him is
bogus (or at least dubious, like SPF NEUTRAL or SOFTFAIL).

But so far that's a part of DKIM that I don't understand - or
one of several parts that I don't understand:  It's also not
immediately clear for me why the signed header fields are
_copied_ into the DKIM header field.  

I'm waiting that the DKIM list gets its "threat analysis" and
Charter ready, because finding a better WSP-canonicalization
is something where I could maybe contribute more than stupid
questions - not limited to "why not simply use SPF ?" ;-)

That said, I don't think that DKIM's mailing list "issue" is a
"hard spot", as you said it.  If a mailing list sends me some
munged crap and I can't check if that was really from say you,
so what ?  I trust that the mailing list isn't completely evil
and tries to get it right.  It should defend itself with all
available tools, sure, but it's less important that I can also
check this.

I certainly don't have any forwarding between me and mailing
lists, so if the list has a SPF sender policy it's good enough
from my POV.
                            Bye, Frank


-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>