On Nov 2, 2005, at 11:50 AM, Hector Santos wrote:
I doubt that an email service, who values customer service and PR as much as the next service, will not disclose a TOS or inform users the change in policies.
Terms of service are irrelevant. Who is held accountable with respect to reputation? SSP authorization invites the email-address domain owner to be held accountable via MUA/MDA extensions. While some providers see this as a major benefit, the only defensive strategy permitted by this scheme is to prohibit all third-party signatures.
This removes independent use of email-addresses and list-servers, for example. As a general principle, the entity introducing messages is held accountable as a means to abate abusive traffic. SMTP can not endure accepting all messages to then apply SSP policies on entities unrelated to the introduction of the message. The added DKIM verification process will only make this principle more critical, especially with multiple signature stacks.
In fact, with immediate SSP notification, it will provide legally friendly satisfication of user expectations.
When DSN are often dropped, a query for an optional 'r=' parameter in an SSP record may be checked, but unlikely once the email-address obtains a bad reputation. While there may be some feedback resulting from this mechanism, there are few remedies available for the email- address domain owner. One would expect the signing-domain granting access to the abuser should be contacted instead. Stopping abuse at the source then permits the added security of DKIM.
There might be risk for the email server who do not perform an SSP only which might cause user mail to be later rejected or worst lost.
I think you are saying that providers should check whether the email- address has authorized their domain before sending? If not, the message may be deleted.
I remain unconvinced that most, if not, significant majority, Email Services, especially commercial ones, will not be interested in protecting their service from unrestricted domain abuse.
This is indeed a common refrain. Until MUAs are modified, DKIM offers no such protection however. When MUAs are modified, the signing-domain should be made visible in some manner. This could by done when an initial message is received, where the user is asked to approve these identifiers. Anytime an identifier appears to have changed, or another message looks like a message with retained identifiers, they should be alerted. In that case, there would no need for an SSP scheme. None! This could be enhanced by offering recommendations contained directly within the signature on the scope of identifier needed to isolate the author.
-Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
