On 30 Aug 2006 14:28:29 -0000 John Levine <[EMAIL PROTECTED]> wrote: >>In addition, I would also note that it is extremely easy in a group like >>this to lose track of how non-technical many domain owners are today. > >Right, and that means that they use someone else to provide their >mail service.
Exactly. Odds are, not the same provider that does their DNS. They are in the middle. >Keep in mind that DKIM, unlike SPF, requires the active participation >of whoever runs your outgoing mail server to apply signatures, unless >you are enough of a weenie to run a signing engine in your MUA and do >your own key management. For the vast majority of non-technical >users, their ISP or hosting company's MTA will apply its own >signature, and that will be good enough. Indeed, it will probably be >better than a tiny domain's own signature, since whatever formal or >informal reputation systems recipients use are much more likely to >have entries for the ISP than for a tiny domain that sends 12 messages >a week. That sounds to me like you are saying that DKIM first party signing is only for big domains. If that's the WG consensus, then that's what we should design to, but I hope not. I have said before that I think scalable works two ways. It has to scale small too. I also think that you underestimate the scalability of the proprietary reptation vendors. Mail servers get their IP address into, for example Ironport's Senderbase, such systems after having sent just a handful of messages. I doubt name based systems will be less granular. Let's not do another round of should reputation accrue based on the author's domain or the MTA operator's domain. I, for one, think that, "You're little, third party is good enough for you" is not the right answer. >I suppose it is hypothetically possible that providers will upgrade >their MTAs to support per-domain DKIM signing and out of perverse >hostility won't offer the DNS support for it. That has never >impressed me as a scenario likely enough to be worth inventing a new >mechanism with unknown security problems that has to be implemented by >all DKIM recipients. It's fortunate then that that isn't the scenario I'm trying to support. The likely scenario is the outsouced MTA and DNS are provided via different companies. I think MTA from the ISP and DNS from a name registrar is entirely typical. At this point I'm not suggesting an alternative. My point is that NS subdomain delegation is not sufficient by itself. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
