> On 11 Nov 2022, at 09:23, Laura Atkins <la...@wordtothewise.com> wrote:
> 
>> Ultimately, I don't think senders should DKIM sign mail they aren't willing 
>> to 
>> take responsibility for, since that's exactly what a DKIM signature is 
>> supposed to signify.
> 
> They took responsibility for the single opt-in message that was sent through 
> their system. I’m not sure they have any responsibility for the million 
> copies of the message the recipient sends through a different infrastructure. 
> Unless you’re saying that DKIM signatures should only be assigned to mail 
> that has been manually reviewed by the infrastructure host?

Manual review wouldn’t help.

A single email advertising something sent to a single recipient who has 
consented to receive it isn’t problematic, and it looks pretty much like every 
legitimate customer of the ESP.

That same mail, byte-for-byte identical, sent through non-ESP infrastructure to 
a million non-consenting recipients is a problem. And it’s not one that, 
currently, the ESP can do that much to mitigate (there are things they do to 
attempt to, such as breaking redirector links and so on, but that’s not that 
effective and it’s after the incident).

It’s not a new concern - I remember sitting in a Yahoo conference room 
discussing exactly this issue before DomainKeys was launched - but as mailbox 
providers pay more attention to DKIM-keyed reputation of mail streams it’s one 
that’s actively being abused.

The onus is probably on the receivers to mitigate the several related problems, 
as they’re the only responsible party that’s in a position to do so (they’re 
the only ones other than the spammer who sees the email, and they’re the ones 
who are relying on DKIM identified mail streams to help deliver wanted mail and 
reject unwanted mail for their customers). I’m sure that ESPs would be happy to 
make changes that would assist them in doing that, of course.

Cheers,
  Steve

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to