On Thu, Feb 16, 2023 at 10:45 AM Scott Kitterman <ietf-d...@kitterman.com> wrote:
> > On February 16, 2023 6:10:39 PM UTC, Evan Burke <evan.burke= > 40mailchimp....@dmarc.ietf.org> wrote: > >The biggest current problem with replay is that it happens in bulk, at > >substantial scale. x= is effective against that because it takes time to > >send millions of messages. Is it perfect? No. But it's not difficult to > >choose between 10,000 replays using my domain vs. millions. > > Okay. What's the value for X - T that prevents this problem, but doesn't > cause DKIM signatures of "normal" mail to fail? > > There's not one "right" value; we're talking about distributions of timings for normal mail vs. replay, and yes, there's some overlap there. In practice I've seen many signers choose expirations in the range of 1hr to a few days. 1hr can be very good at limiting the opportunity for high volume replay, but I estimate "normal" signature breakage at that level is on the order of 0.1%. 24hr is probably effectively zero breakage, but with greater opportunity for replay. I understand the pushback; this is a list to talk about a standard, and standards tend to be a lot more binary in their functionality, so to speak. Maybe you're not receptive to a more practical solution - that's fine, I respect that - but I think there may be others here who are more open to that kind of approach.
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim