[spf-discuss] Tracking userids --was: SPF, DKIM, and NIH

Ian Eiloart wrote:
> > Without having some kind of worldwide individual identity system, it just 
> > can't be done.
> No, we can.
At the university of Sussex, you mean?

> What I mean by "spoofed" is that the email was sent from the 
> account that it claims to be sent from. For gmail, for example, a valid 
> DKIM signature is enough that I can assign reputation to the purported 
> author.  I don't need a worldwide ID system, I just need to know that the
> account that I'm judging is the correct one.
>
> As an admin, I can't just reject all gmail email. I have no choice but 
> to try to distinguish between good and bad senders. However, I can 
> assign a default reputation to ESPs like gmail, for previously unseen 
> users in their domain.
That seems a very clever work to me. I have two very basic questions 
about it:
1) How large does your database grow?

2) Do you [think to] publish that data?

Assuming that you reckon senders' reputation based on your users' 
complaints, if you forward them (or an anonymized version thereof) to 
google, you may be able to track their reactions, if any. Did you ever 
[try to] get in touch with google about such results? What percentage 
of gmail's users do you think you are tracking?
I'm also curious about possible generalizations. For different 
identities of the same user, gmail adds --and signs-- a Sender header. 
That's not a universal practice. Some other mail sites may mention the 
authenticated id in their Received header. How do you handle those cases?
TIA for expanding this subject


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com