On Jan 24, 2012, at 8:30 AM, Murray S. Kucherawy wrote: >>> >>> Let's say I put this line in the header of a bazillion messages in a >>> spam run: >>> >>> DKIM-Signature: v=1; d=blackops.org; s=bogus; b=foo; bh=bar; h=baz; >>> r=murray; >>> >>> I've just indirectly mailbombed you. Oops. The domain has to publish >>> something about its willingness to get reports, not unlike the way >>> that ADSP publishes a record about what to do if there's no signature >>> that matches the From: domains. Perhaps something like this: >> >> I agree with it going in a DNS record, not in the signature for exactly >> the reasons you state. > > The bottom part of Section 8.4 talks about not sending these automatically, > which is kind of in line with what we tell people about FBLs. Should this > just be normative? It's the same as the DNS idea except the indication is > explicit rather than something published, and we're not putting yet another > record in the DNS.
Over in draft-ietf-marf-as we are telling people it's OK to send unsolicited reports automatically due to authentication failures. We should be consistent about that, in one direction or the other. Cheers, Steve _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
