On Tuesday, January 24, 2012 11:32:10 AM Steve Atkins wrote: > On Jan 24, 2012, at 8:30 AM, Murray S. Kucherawy wrote: > >>> Let's say I put this line in the header of a bazillion messages in a > >>> spam run: > >>> > >>> DKIM-Signature: v=1; d=blackops.org; s=bogus; b=foo; bh=bar; h=baz; > >>> r=murray; > >>> > >>> I've just indirectly mailbombed you. Oops. The domain has to > >>> publish > >>> something about its willingness to get reports, not unlike the way > >>> that ADSP publishes a record about what to do if there's no > >>> signature > >> > >>> that matches the From: domains. Perhaps something like this: > >> I agree with it going in a DNS record, not in the signature for > >> exactly > >> the reasons you state. > > > > The bottom part of Section 8.4 talks about not sending these > > automatically, which is kind of in line with what we tell people about > > FBLs. Should this just be normative? It's the same as the DNS idea > > except the indication is explicit rather than something published, and > > we're not putting yet another record in the DNS. > Over in draft-ietf-marf-as we are telling people it's OK to send unsolicited > reports automatically due to authentication failures. We should be > consistent about that, in one direction or the other.
In draft-ietf-marf-spf-reporting as well. I think that the specification needs to be reasonable for automatic reporting even if there will often be out of band discussion about it. Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
