spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-13 17:14:21
On Tue, 13 Oct 2009, Ian Eiloart wrote:

The advantage is that it permits trusted traditional forwarding. Which is
what's missing with SPF.

SPF provides trusted traditional forwarding with a little extra work
on the sender side to provide a custom DNS backend.

I should elaborate, perhaps I mis-phrased that. If you sign with DKIM, you
don't need to know whether your recipient is using traditional forwarding.
There's no work for you or the forwarder to do. It means that the recipient
can determine the origin of a traditionally forwarded email.

With SPF, you can of course allow trusted third parties to forward email for
you.

With the exists mechanism, you can "sign" the MAIL FROM and allow traditional
forwarding without knowing anything about the recipients.
The exists mechanism queries your custom DNS as to whether the signature
is valid.  It can be algorithm based, or a random string in a database.
This is known as "SES" Signed Envelope Sender.  It works seamlessly with
SPF and with traditional forwarders from the standpoint of the recipient.
The sender has to set up the custom DNS to respond to the exists queries.
Typically, the exists would be the final mechanism before -all to avoid
the extra query in cases where the mail is not traditionally forwarded.

For instance:

example.com     IN TXT "v=spf1 mx exists:%{l}.ses.example.com -all"

And the ses.example.com zone is server by PowerDNS or other DNS server
with pluggable backends.  The MAIL FROM might look something like (using my SES
package):

SES=GSVRXAGC8F16O1BTE=john(_at_)example(_dot_)com

Though of course, the format is entirely arbitrary since it is validated
only by the sender.

Now that doesn't mean DKIM is useless.  SES doesn't include the body,
so the signature involves a timestamp and/or sequence number.  This 
has to change infrequently enough that it won't prevent a recipients
greylisting system from working, or else you have to store the MAIL FROM
in the queued message to be reused on retries (easier now that the milter
API includes CHGFROM).

The advantange of DKIM for envelope signing is that it includes the body.
The disadvantage of DKIM for envelope signing is that it includes the body.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>