----- Original Message ----- From: "Frank Ellermann" <[EMAIL PROTECTED]> To: <ietf-dkim@mipassoc.org>
> Hector Santos wrote: > > > 80-84% of all SPF policies seen by SMTP receivers are NEUTRAL > > (relaxed) policies. Among these, atleast 60%, are Bad Actors > > exploiting a RELAXED domain policy. > > It's not possible to "exploit" NEUTRAL, as it's by definion the > same as NONE. What's so unusual with 60% spam ? Apparently a > bit lower than the average. As with DKIM the only real exploit > is a PASS from a white-listed source. Good points. It would had been better to just say relaxed policies, in the case of SPF; Neutral, SoftFail. The issue of PASS is true. Why should we trust it? But we don't have must more we can do here but to apply or augment optional and non-standard tracking concepts. However, what you want to make sure you don't allow fall thru the cracks are the mix policy and protocol inconsistencies, and that might include mixing DKIM with other methods as well at the implementation level. But at the very least, the protocol level. The overall goal, atleast from my (SSI) perspective, is providing consumer confidence in your product offerings. And that includes doing a diligent job in making sure what you are offering has a high payoff, it is transparent as much as possible and has no vulnerabilities ignored or neglected. The first goal is to make sure that the "rules" are followed as it is expected to be followed. Any fault detected, in whatever form that may be, is how your protection is realized. When the rules are relaxed, fault detection is minimized. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ ietf-dkim mailing list http://dkim.org