Re: [spf-discuss] SPF, DKIM, and NIH

On Sun, 11 Oct 2009 03:50:43 -0700 (PDT) Michael Deutschmann 
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:
> On Sun, 11 Oct 2009, David MacQuigg wrote:
> > I believe it is possible to reject as soon as you see the DKIM-Signature
> > header, but the problem will be the same as SPF - too many legitimate
> > messages still have crap authentication.  Yet another chicken-and-egg
> > situation.
> >
> > In this message:
> >
> > [ results showing Michael's mail, as relayed by list, to fail DK ]
> Envelope-DKIM would not fail in this way.  Like SPF, it would not care
> that the "From:" was forged.  Only the signing policy of the MAIL FROM:
> domain (which for this list is "@jeeves.archives.listbox.com") would be
> enforced.
Since mailing lists use their own envelope from, I guess I'm missing 
something here.  What would your envolope DKIM be signing and who would 
sign it?
> I have a hard-fail DK record, since my commonsense understanding was that
> people who subscribe to mailing lists must whitelist them before arming DK 
to
> reject messages with broken signatures, even for "o=-" domains.
>
> However, recently on the DKIM list it was claimed that the analogous
> "dkim=all" ADSP does permit validators to act without considering the mailing
> list problem....
RFC's can't mandate receiver behavior.  Your interpretation of the ADSP RFC is 
sound.  What you 
got on the DKIM list was speculation of what receivers might do, not what the 
RFC says.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com