|
[spf-discuss] SPF, DKIM, and NIH
2009-10-06 22:58:06
I hinted at the following as an aside in my Forwarder Mitigation
proposals, but no one really picked up on the idea. So I'm going to
repeat it more directly:
An ugly practical fact is that neither SPF nor DKIM-ADSP checking
policies are suitable for deployment at e-mail providers which don't
know their users well. Only vanity domains, and e-mail providers which
specialize in custom spam filtering, can use them safely.
This is because SPF checking will false-positive on traditional
forwarding, and DKIM-ADSP will false-positive on most mailing list
traffic.
But, the reason DKIM-ADSP suffers mailing list FPs is not because of any
deficiency in its cryptographic approach. It's only because it tries to
guard the header from (From:), rather than the envelope sender (MAIL
FROM:), that it has this problem. Meanwhile, its cryptographic approach
does well at avoiding traditional-forwarder FPs.
Thus, I see a niche for a protocol that, like SPF, guards the envelope
sender, but uses cryptography like DKIM. Such a protocol could be
safely deployed blindly at large ISPs.
If I understand DKIM correctly, DKIM validators are to ignore DKIM
signatures that sign what, to them, is the "wrong" identity. So, there
should be no obstacle to mailservers double-signing a message when the
envelope MAIL FROM: and the header From: are not the same.
Since only a simple flag is needed, it would make sense to piggyback
this on SPF records with a special modifier. (Such as the "fm=dkim"
from my original senderside forwarder mitigation proposal...)
Some might say that this makes all the rest of SPF pointless. To this,
I'd first point out that such sentiment betrays the ugly, irrational Not
Invented Here syndrome. This is about suppressing abusive mail, not
building empires.
And the rest of SPF can still have a point. Receivers can opt to skip
the work of DKIM-on-envelope validation if normal SPF gives a clear
pass, and they can also reject at RCPT if normal SPF gives a clear fail
*and* they are sure there are no unwhitelisted forwarders.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [spf-discuss] SPF, DKIM, and NIH,
Michael Deutschmann <=
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
|
|
|