spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-12 14:56:31
On Mon, 12 Oct 2009 12:20:07 -0400 (EDT) "Stuart D. Gathman" 
<stuart(_at_)bmsi(_dot_)com> wrote:
On Mon, 12 Oct 2009, Scott Kitterman wrote:

Without giving up SPF's mailing list FP immunity, it gains the same
forwarding FP immunity DKIM/ADSP has.


It would work smoother than a mere "reject mail only if DKIM/ADSP and 
SPF
both say Fail" policy, because the mailserver would know in advance
whether it is worthwhile to let an incoming SPF-fail transaction proceed
to DATA.

OK, then what is the sender signing?

The sender is signing MAIL FROM in a manner similar to SES.  SES would
actually be a more efficient way to accomplish the same goal, be
evaluated at SMTP envelope time, and works with the existing SPF standard
(via exists mechanism).

The drawback?  It requires the sender to supply a specialized backend to a DNS
server to handle the validation requests.  (PowerDNS is an authoritative only
open source DNS server that makes plug-in backends easy - so this is not a 
showstopper.)

On the other hand, the DKIMed MAIL FROM proposal puts the burden of
special software on the receiver.

Also in SES, the 'signature' is encoded in the mail from.  With this DKIM 
envolope idea there is nothing to sign, but the body and the body header.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com