On 6/20/2014 12:13 AM, Stephen J. Turnbull wrote:
Hector Santos writes:
The DNS-based author domain defined policy is the only common
approach we have now.
To a man with a hammer, every problem looks like a nail.
Yes, indeed, in this case, it is that simple -- Occam's razor. Quite
Let us remember that DKIM+Policy were separated into two protocols; a
DKIM-BASE layer and a secondary domain signing practice layer (SSP which
evolved to ADSP). Making an invalid signature equal to a missing signature
concept was a security logic which allowed for the exclusive or strict
On Thu, Jun 19, 2014 at 11:15 AM, Hector Santos hsan...@isdg.net wrote:
While DKIM-BASE tried to clean up this separation of the author domain
policy, it could not because of all the past existing ADSP or SSP
references in the many DKIM related RFCs, see RFC6376, section 1.1. But
On Jun 19, 2014, at 11:45 AM, Murray S. Kucherawy superu...@gmail.com wrote:
On Thu, Jun 19, 2014 at 11:15 AM, Hector Santos hsan...@isdg.net wrote:
While DKIM-BASE tried to clean up this separation of the author domain
policy, it could not because of all the past existing ADSP or SSP
On Thu, Jun 19, 2014 at 12:36 PM, Douglas Otis doug.mtv...@gmail.com
wrote:
Our company has had extensive experience dealing with email spoofing.
While reputation is able to deal with bulk spamming, it is ineffective at
dealing with a phishing problem, the intent behind DMARC. It is a basic
Let me clarify it.
From a deterministic protocol standpoint, depending only on base signing
analysis has no payoff, i.e. no filtering is legitimately possible with high
confidence and zero/low false positive.
What is left is non-deterministic, heuristic, classification Bayesian scoring,
I do not understand this predilection for trying to change the DKIM base
engine. It doesn't need it.
Actually, I claim that a version bump is the approach least likely to
break existing clients.
I also don't understand the construct of 'special handling', never mind
not liking the idea of
signatures are already broken, but in that case there are an awful lot
of broken clients, starting with spamassassin. (I just checked.)
Out of curiousity, did you try having two signatures in various different
orders and combinations of validity?
No, but from looking at the code, I don't
John Levine writes:
I do not understand this predilection for trying to change the DKIM base
engine. It doesn't need it.
Actually, I claim that a version bump is the approach least likely to
break existing clients.
The point is to avoid breaking the anti-spam *system*. If the system