spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-07 23:43:15
On Wed, 7 Oct 2009, Ian Eiloart wrote:
This doesn't need a new protocol. When receiving messages, you should apply
SPF and DKIM tests, and apply reputation tests to the one that matches, if
either. What you're looking for is a token that you can reliably apply
reputation services to. An SPF fail simply means that you can't apply your
reputation service to the envelope-sender. It doesn't mean that the message
isn't good, so go ahead and see if it has a good DKIM signature.

Allowing a favorable SPF result to "rescue" a message with an unfavorable
DKIM/ADSP result, is straightforward enough.

But the reverse is problematic.  SPF normally rejects failures at the
RCPT TO: command.  At this point, it is unknown whether the message bears
DKIM signatures, let alone whether they are valid.  It's not even known
whether a signature would be required, because this depends on the header
From.

The mailserver would have to defer all SPF-related rejections until DATA,
which would be a significant cost.  If the mailserver honours per-user
preferences for minimum SPF result to accept, this would then require the
use of 4xx-on-RCPT-TO tricks.  This cost would be applied across all mail,
most of which will be purportedly from domains which do not publish an
ADSP.

If "DKIM/EDSP" (*envelope* domain signing practices) information was
available, on an SPF fail the mailserver could look it up based on MAIL
FROM it has seen.  If there is no EDSP, the mailserver could confidently
reject at RCPT TO.  If an EDSP is declared, the mailserver could go on to
accept the mail contingently, rejecting at DATA if the required signature
is missing or bogus.


Also, note that an "EDSP" protocol would take very little effort to
design.  All we need to do is standardize one new SPF modifier to flag a
domain as one that always signs the envelope from.  The rest is mere
coding.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>