On 4/14/2015 5:31 PM, Murray S. Kucherawy wrote:
On Tue, Apr 14, 2015 at 1:24 PM, Rolf E. Sonneveld <
r.e.sonnev...@sonnection.nl> wrote:
Remembering to what great lengths the ietf-dkim group went to make sure
that every bit of a message was covered by the signature (and with the l=
discussions in mind) I would really be surprised if adding the @fs= for all
outbound mail would be an acceptable solution for the problem.
I agree in general, but I'm not sure that's a valid comparison. A bare
"l=0" is a lot less restricted than one that also includes "@fs=" and,
perhaps, something like a short expiration. It could well be that's a
tolerable risk when compared with the cost of doing nothing here.
That "cost" has already been long established. The simple DNS Lookup
is cheaper to implement and more secured than the in-band alternative.
All we are learning from this thread is that getting DNS involved is a
tough problem. We already knew that for years, since day one of all
these DNS TXT-based solutions. But how are you going to explain that
the best and simplest solution for DMARC, the simple ADID/SDID, is
being blocked because it is presumed that implementators will not be
able to work with their DNS peers?
Why can't both solutions be done? The optimized ADID/SDID DNS check
and the fallback to a @fs=SDID signature check?
--
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
