On 8/29/23 9:02 PM, Dave Crocker wrote:
A possible way to think about how to approach this:
1. Use the mechanism for messages deemed spammy by the originating
platform, or for new users who do not yet have an established
quality record, or...
2. Add a header field that has semantics along the lines of "Yes I
signed this and yes I sent it, but I'm not happy about it."
Why not re-use the existing DKIM solution, just with a different domain
/ set of keys?
Let a domain establish a bad reputation. Especially if it's being used
for sending messages that are considered to be questionable.
Plumbing historically has had clean water and waste water. Now -- what
is called -- grey water is being used in some places in parallel to the
other two. There is no false pretense that grey water is new nor waste.
Grey water is it's own thing and it is treated as such.
3. Receiving hosts can take this as a flag for extra caution. The
damn thing still gets to victim platforms, but those platform have a
bit more information to factor in.
I feel like this falls back to a priming problem of who sends the flag
because not enough people are checking for it and not enough people will
check for it because not enough people are sending it. What's more is
that this is going to be viewed as some as tantamount to $SO_AND_SO is
sending $SPAM, see they even tag it as such.
DKIM, SPF, et al, are all 'collaborative' mechanisms. Originators and
receivers opt in to use them. Both sides are necessary. So I'm
wondering about looking for something the furthers the collaboration.
Or re-use the existing systems that are already in place and being used
by much of the email community.
Just use different domains / keys to indicate different things.
No new standards. No new code. No new config. Just a new domain / set
of keys that need to establish a reputation, whatever that is. That's
something that already happens day in and day out.
And the attacker can't bypass it, if the signature covers enough (or
all) of the message.
Maybe I'm too salty for the end of a long day, but I feel like this is
in some ways "nothing new to see here, move along".
--
Grant. . . .
unix || die
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
