Scott Kitterman wrote: > On Thursday 27 July 2006 18:31, Jon Callas wrote: > >>> If I use isp.example.com and they sign messages with my name and a >>> key (theirs >>> or mine, doesn't matter) and they also sign messages actually sent >>> by joe >>> spammer (another one of their customers) with my name and a key >>> (again, >>> theirs or mine), then it sucks to be me. That's the problem. >>> >> No, it doesn't suck to be you. The first letter of DKIM stands for >> "Domain." It sucks to be example.com. >> >> > To clarify, by me, I meant my domain. The problem is that in this type of > scenario, there is no way to externally distinguish between mail actually > sent by the vanity domain owner and mail sent by another customer of > isp.example.com > I guess this means that isp.example.com is not worthy of your delegation of signing authority to them, and you should shop elsewhere (find a more reliable ISP, or sign your own messages). I think the ISPs will get it right fairly quickly if they lose business as a result of not authenticating mail submission properly (or otherwise fixing whatever mechanism allowed Joe Spammer's message through).
-Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
