On Fri 11/Nov/2022 10:23:44 +0100 Laura Atkins wrote:
On 11 Nov 2022, at 05:04, Scott Kitterman <skl...@kitterman.com> wrote:
[...]
For those that have been around for awhile this reminds me of the now long
dead controversy about closing open relays. It's not identical, but I think
it rhymes.
Back in the mists of the early Internet we didn't have submission services
because any client could send email via (most) any MTA, so they weren't
needed. As you can imagine, spamming was incredibly easy and the community
gradually came around to the point that you can't just relay email for anyone,
an MTA should serve authorized users (I oversimplify here). As this consensus
was being developed, a substantial number of MTA operators objected.
Eventually, being an open relay meant no one would take mail from you.
This seems similar.
I was around for the open relay discussions and I don’t see the parallels.
I do.
Going to a mailbox provider (MP[*]), obtain an email address, and send a
message from it is paralleled to going to an open relay and send a message
through it. The only differences are (1) the From: domain is constrained by
the MP, and (2) the MP requires me to interact with their web server in order
to setup an address. They both seem negligible to me.
The MP limits the volume of messages that a user can send out. However, by
signing even one message, it takes the responsibility for its content. After
all, DKIM was designed to allow discernment based on domain name rather than IP
address. No surprise that someone can abuse a domain name through different IP
addresses. A hasty and imprudent signature could easily cause risks.
Now, why does the MP take responsibility for unknown content?
If we extend the open relays parallel, we'd forecast that allowing anonymous
users to freely setup (hundreds of) email addresses has to come to an end. Do
MPs know the people they provide email services to? If they do, they can
afford the risk to put their reputation in their hands.
IOW, the simple solution is that free MPs send messages unsigned except for
people they trust.
Best
Ale
--
[*] Previous messages use ESP, which I tend to associate to operators like
Mailchimp, say, rather than Gmail. I had a hard time trying to understand why
ESPs would let folks send a single opt-in message... Is it me?
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
