>-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Hector Santos >Sent: Thursday, January 24, 2008 1:32 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED]; ietf-dkim >Subject: Re: [ietf-dkim] Re: ISSUE 1521 -- Limit the >application of SSP tounsigned messages > >[EMAIL PROTECTED] wrote: > >> But I think there are a sufficient number of cases where >domain owners >> may want to make statements not just about mail that is not signed, >> but about mail that is not signed by them. > >Are you kidding me? I am willing to bet that given the >opportunity to do so, they will immediately apply strong >SIGNING requirements to their mail, IFF the receivers are >going to HONOR the policies. >
+1 My organization has recently started DKIM signing (millions and millions of emails signed in the last 10 days) for 5 large scale mailing domains plus making strong SPF assertions for those domains. The end game I want to see for DKIM-SSP (Can't we make SSP broader? Please?) would be for me to be able to make the assertion that ALL mail from these domains is signed and ONLY comes from the IP addresses indicated in our SPF records. Initial results working with receivers that are checking have been excellent. This assertion, if honored by receiving domains, will provide significant additional protection from phishing/trojan emails for huge numbers of inboxes. There is a small volume of email that appears to have broken signatures (a very few cases involving forwarding but it may be related to specific edge cases with regard to the choice of signed headers). Then there are the unsigned emails purporting to be us and not coming from our IP Address space.....phishing emails....trojan emails...... I think receivers are going to implement DKIM checking so fast your head will spin. I have a feeling that the default implementation - whether in the standard or not - is going to be to automatically check the SSP of the From anyways because there is real value in such a check. I think you are going to find receivers placing significant weight on strong assertions by domains. Why not codify something that has value and does not prevent someone deciding what to do with that check? The MAAWG website indicates (2nd Qtr 2007) that 86.7% of email is abusive email. Others report a higher percentage. Don't think for a minute that the bad folks aren't going to try to find ways to subvert DKIM in practice. Why make it weaker and more subject to gaming when we can make it stronger and more resistant to gaming? The dkim.org website contains this statement in the first paragraph: "Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication." Which has the stronger association with a particular message? A third party or the domain that is the purported originator of the message? >If we have such a relaxed mode of operation, bad guys just >have to run in legacy mode. No adaption required. > +1 >We are erroneously presuming everyone are going to depend on >DKIM being tied to reputation services and my view, this is >going to be the biggest mistake we make here. > +1 Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html