> On 11 Nov 2022, at 09:23, Laura Atkins <la...@wordtothewise.com> wrote: > >> Ultimately, I don't think senders should DKIM sign mail they aren't willing >> to >> take responsibility for, since that's exactly what a DKIM signature is >> supposed to signify. > > They took responsibility for the single opt-in message that was sent through > their system. I’m not sure they have any responsibility for the million > copies of the message the recipient sends through a different infrastructure. > Unless you’re saying that DKIM signatures should only be assigned to mail > that has been manually reviewed by the infrastructure host?
Manual review wouldn’t help. A single email advertising something sent to a single recipient who has consented to receive it isn’t problematic, and it looks pretty much like every legitimate customer of the ESP. That same mail, byte-for-byte identical, sent through non-ESP infrastructure to a million non-consenting recipients is a problem. And it’s not one that, currently, the ESP can do that much to mitigate (there are things they do to attempt to, such as breaking redirector links and so on, but that’s not that effective and it’s after the incident). It’s not a new concern - I remember sitting in a Yahoo conference room discussing exactly this issue before DomainKeys was launched - but as mailbox providers pay more attention to DKIM-keyed reputation of mail streams it’s one that’s actively being abused. The onus is probably on the receivers to mitigate the several related problems, as they’re the only responsible party that’s in a position to do so (they’re the only ones other than the spammer who sees the email, and they’re the ones who are relying on DKIM identified mail streams to help deliver wanted mail and reject unwanted mail for their customers). I’m sure that ESPs would be happy to make changes that would assist them in doing that, of course. Cheers, Steve _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
