On 11/22/10 9:25 AM, Steve Atkins wrote: > ... > > But if you're trying to stop mail that's being sent by a bad > actor... give up on this approach, as it's trivial to add a "fake" > DKIM header that will not authenticate. > > Also, it may discard quite a bit > of legitimate email, if any of your users subscribe to mailing > lists (some mailing list managers are likely to strip out > DKIM headers in the cases where they know they'll invalidate > them). Agreed. DKIM does not offer a comprehensive method to qualify the source of a message. Extensions, such as the TPA-Label scheme, could extend signing policy to include other authentication and authorization methods and retain delivery integrity. ADSP using just DKIM is likely to cause a significant loss of legitimate email, especially when DISCARDABLE is asserted.
-Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html