Re: [spf-discuss] SPF, DKIM, and NIH

Michael Deutschmann wrote:
> On Tue, 6 Oct 2009, Stuart D. Gathman wrote:
> (regarding a DKIM flag for SPF)
>   
> > This can't be verified until the entire message is received.
> >     
> If you know there are no incoming traditional forwards, you can still
> reject SPF-fail messages at RCPT TO, as before.
>
> This would just give cautious admins who would otherwise resort to Crap
> Receiverside mitigation (ie: treat fail as neutral), a way to give
> potentially forwarded mails a second chance, without letting through any
> messages the purported sender disapproves of.
>   
I believe it is possible to reject as soon as you see the DKIM-Signature 
header, but the problem will be the same as SPF - too many legitimate 
messages still have crap authentication.  Yet another chicken-and-egg 
situation.
In this message:

Authentication-Results: mta399.mail.re4.yahoo.com  
from=talamasca.ocis.net; domainkeys=fail (bad sig); 
from=talamasca.ocis.net; dkim=neutral (no  sig)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=2006-04-29; 
d=talamasca.ocis.net; 
b=sz+JhrXN7SDhsoGpgbaWnaAbsGY4yeCKiEuape/zVe8lsmTxYMQpjM5H37EZCvjY;
> > As to "NIH", it is not so much that as hoping "traditional" forwarding will
> > become inconvenient enough to die away like open relays.
> >     
> To some, the end of traditional forwarding has been just over the horizon
> ever since SRS was proposed.  Meanwhile, this attitude has permanently
> damaged SPFv1 by inspiring the use of Crap Senderside mitigation (ie:
> never use "-all").
>   
Last I heard 3% of SPF records ended in "-all", and 0% of forwarders are 
using SRS.  Has there been any change in the last year?
-- Dave



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com