spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-12 06:20:58
Michael Deutschmann wrote:
I have a hard-fail DK record, since my commonsense understanding was that people who subscribe to mailing lists must whitelist them before arming DK to reject messages with broken signatures, even for "o=-" domains.

I don't think such behavior may ever become a common practice, as it implies keeping track of subscriptions and coordinate them with whitelisting. Too much work, if postmasters have to do it manually.

A good DKIM signature says that the signing domain trusts the message sender. Much like with SPF, that means nothing unless the recipient trusts the domain.

However, recently on the DKIM list it was claimed that the analogous "dkim=all" ADSP does permit validators to act without considering the mailing list problem....

Yeah, "dkim=all" sounds much like SPF's -all. However, they miss a ~all --which even SPF does not specify in such a way to provide for useful tools for practical testing. That way, it's hard for a recipient to discern whether a signature is broken for a bug in the message's transmission rather than being an actual forgery.

I'm not DKIM signing (yet), but I think I would be content of just signing body From, Date, Message-ID, and possibly References or In-Reply-To. Those fields are seldom tampered with. OTOH, if authors want to sign the body they can do it themselves with either S/MIME of OpenPGP.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>