The original SSP proposal was focused on whether a receiver should
expect a valid signature from the domain, but it was more open ended
than that. It was really intended as a way for the sending domain to
describe to any receivers what it does as a matter of policy. I noticed
that in draft-chuang-dkim-replay-problem they mentioned that spammers
sometimes leave the To and/or Subject unsigned. Aside from wondering how
they coax a provider whose reputation they are trying to use to do that,
it seems to me this might be an instance of where the sender could tell
the receiver what to expect. There may be other things that the sender
can inform receivers about their policies and practices to give then
more clues as to spaminess or abuse.
I know that DMARC is a follow on to SSP/ADSP which so it is now out of
scope for this wg which is sort of a pity since it makes the process
much harder and they are not likely to be interested in anything other
than what they are currently doing. But we should keep in mind that that
could be part of the overall solution set.
That said, I don't know why we didn't make To:, Cc: and Subject:
mandatory signed fields. But even if it's not mandatory, that should be
a signal that the message should be given increased scrutiny.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
