All,
As an interested newbie on the topic I have a question
What I want is to clearly identify what domain an email arriving at my
mta is from.
Hopefully at the dns level I can query the domain in the email, get a
public key, match the hash in the header of the email to equate to the
queried doma
Well if we made it an rss feed instead
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Levine
Sent: Tuesday, October 18, 2005 1:33 PM
To: i
I'm confused here,
* If you're talking about lists with their own SSP. But I don't
* see how that could help if a bad actor claims to be a list, and
* to send mail "from" ebay. Somehow the SSP of ebay must be able
* to say "lie" no matter what the phisher-disguised-as-list does.
If a bad actor
Matching the From to the DKIM signing will only be useful to define
whose domain in the From field does not match the signing domain, there
may be a lot of interesting information to be gleaned from that. Using
that info to drive internal policy may interest some folks and does not
apply to others.
Would like to change the following
"While the techniques specified by the DKIM working group will not
prevent fraud or spam, they will provide a tool for defense against
them by allowing receiving domains to detect spoofing of known domains."
to
While the techniques specified by the DKIM working
A domain is a public IP Class or Address assigned by a registrar to an
individual or company. Sending domain is the IP Class or Address that sent the
message. Receiving domain is the IP Class or Address that is considering
accepting the message. Very straight forward as I can receive a message w
The only problem I have with SPF is a possible licensing nightmare wrt
Microsoft. Even if deployed I would be looking at a way to get it out of
my network. If you look at new installs of SPF it is stalled since
Microsoft announced. Building DKIM around SPF is not a good idea
although keeping it ope
Doug,
If the hash validates to the signing domain and first sender, why is it
nescessary that the two domains be the same?
thanks,
Bill
-Original Message-
From: [EMAIL PROTECTED] on behalf of Douglas Otis
Sent: Thu 11/17/2005 6:43 PM
To: Stephen Farrell
Cc: IETF-DKIM
Subject: Re: [ietf
Add my agreement, policy should be at the discretion of the signer.
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Levine
Sent: Friday, Novemb
If a forwarder "didn't" strip a signature from the message, after
decoding the hash and comparing to the information of the forwarding MTA
it wouldn't match anyway, would still invoke some rule on the receiving
entity would it not?
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharet
What is a mailing list? To me it is a script driven reply to all central
repository. Sounds like a resigning requirement but since I neither design nor
manage one twill leave it up to the market.
thanks,
Bill
-Original Message-
From: [EMAIL PROTECTED] on behalf of Mark Delany
Sent: Wed
> Once the attesting party or parties have been established, the
> recipient may evaluate the message in the context of additional
> information such as locally-maintained whitelists, shared reputation
> services, and/or third-party accreditation. The description of these
> mechanisms is outs
Doug,
I would like to say that the only thing that a properly resolved dkim sig
suggests is that the message came from the signing domain, no more no less. It
allows better resolution of responsibility without any absolute assigning of
same.
thanks,
Bill
-Original Message-
From: [EMAIL
Hector
> You got to give me solid, logical and deterministic reasons why we
> should even bother looking for DKIM signatures - valid or not.
right now for inbound messages from yahoo.com I check to see if there is a
dkim= string, if so sent off for further processing, if not toss it :-)
thanks,
B
Not at all, I am saying that the receiving entity still decides how any
anti-spam measure is utilized. The current situation indicates that a
valid email from yahoo.com will have an assigned dkim=$string. Many
messages that appear to be from yahoo.com, containing spam do not have
that string.
At t
" If it has a valid first party signature, it passes. If it doesn't,
it doesn't." If the value of the valid signature states that 3rd party
signers are not admissible it does impugn the validated first party
signature. So should the first party remove 3rd party signatures? Or
should the text read
Hector,
> * The domain name owner can decide the importance of edge
> cases such as mail that does not pass through the
> approved gateways.
Ok, but by doing so, he puts a burden on the edge software too. In order
words, should we be responsible in maintain the domain security?
If a bad acto
> Direct attacks would be bad actor attempts to exploit compliant
DKIM/SSP
> systems. Indirect attacks would be bad actors attempts to exploit
> non-compliant DKIM/SSP and rely in "social engineering" exploits.
With
> indirect attacks, bad actors will not emphasize on protocol
correctness.
>
> Thes
The hacker does not need access to my zone, he just attaches a lookalike
header yes " And to have *any* rule that allows bypass of defense
based upon the receipt of a header from outside your control is
extremely dangerous." But folks will do it anyway
Bill Oxley
Messaging Engineer
Cox Communica
Sorry,
Should have been clearer.
Bad guy sends a message purportedly from cox.com with a header
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=cox.com
The non dkim compliant mta who hasn't deployed dkim yet or knowing much
about it places a rule stating that signed messages should
> A dkim compliant mta will do a dip on my dns records and find no ssp
or
> dk record and drop the message as non compliant.
>if the signature succeeds, why do they need to check ssp?
I was making an assumption that if it's the first time cox.com has hit
that mta they would get the values for bot
Without a policy statement DKIM asserts that the sending MTA sent this
particular signed message. That is a benefit of itself to clearly
identify the sending party. A policy statement that is
1 I sometimes sign
2 I don't care who signs this
3 I always sign and don't want anyone else to sign
Is in
Doug Stated
Exactly. The signing domain marking a message as trustworthy is
assuring the recipient the message is not deceptive in _some_ fashion.
This assurance would not be based upon some script or email-address, but
upon who is allowed to receive their endorsement. Violate the trust,
lose the
I would treat it the same way as a broken ssl certificate, with suspicion.
Rather than determining what is acceptable policy we should briefly outline
what consists of a valid dkim sig with a brief note that policy is in the eye
of the beholder.
thanks,
Bill
-Original Message-
From: [E
"bad signature --> DKIM Failure, local policy will set procedure"
thanks
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Allman
Sent: Thursday,
Why is determining the crypto methodology part of this groups efforts?
Shouldn't DKIM specs state where in the dns record the signing entity
stores what method they are using for crypto. If joe.stonage.com wants
to use the original nix crypt command to sign should he not be allowed
to do so? Of cou
Hmmm,
I would like author: responsible for the message content
Originator: MTA that first handles the author's message
Operator: Subsequent MTA's handling before final delivery
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL
Delineate original responsibility of who wrote the message (Author) from
a more responsible party who allowed the author to access the outside
world (Originator) vs a diminished responsibility of who passes the
message along, (Operator)
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alp
I receive a dkim signed mail from mipassoc.org with a dkim sig that
resolves correctly but the domain mtcc.com is in the from address and
they purport to sign all mail, the only dkim sig is from mipassoc.org.
Since this mail has passed my blacklists I would then process the mail
with my suspiciou
Signers SHOULD NOT use keys less that 1024 bits, receivers MAY
accept keys less than 1024.
Let the receivers figure it out
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
___
NOTE WELL: This
If the author creates the subject matter he is responsible whether
knowingly or not.
thanks
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SM
Sent:
I don't think that user recipients are going to see dkim anything unless
they are used to viewing their headers. A dkim failure is just an
identification failure, not a stop delivery notice. All it means is that
I cant clearly identify who sent me this. As an ISP I don't want any
part of the liabil
-Original Message-
From: Oxley, Bill (CCI-Atlanta)
Sent: Fri 3/17/2006 3:39 PM
To: 'Hector Santos'
Subject: RE: [ietf-dkim] New Issue: Analyzing Failures: List of Possible Reasons
Your support idea is sound although I disagree on what DKIM is actually going
to do. However those issues
I don't think presenting dkim information pro-actively to the end user
serves any useful purpose. Unlike PGP the user doesn't have an easy way
to decode what the header is telling them. In a few specific cases I
will reject mail based on a lack of dkim signatures. We do not envision
using dkim to b
When two or more vendors are arguing in front of a customer whose
implementation is at fault is where the customer points at the RFC and
states THIS is correct. Any time I have been a customer/referee in an
industry dogfight (WLNP wars) simple single documents carefully spelled
out work. Multipart
Did you just pass the whitelisting chore to the name servers?
thanks,
Bill
-Original Message-
From: [EMAIL PROTECTED] on behalf of Douglas Otis
Sent: Mon 3/27/2006 8:03 PM
To: Tony Hansen
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] SSP and o= values
On Mar 27, 2006, at 3:16 PM,
Is signing the body at all an essential requirement? Yes, some potential
risk for a replay attack but otherwise "whoami I sent this" should be
sufficient for some providers,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Me
The only interesting think dkim does is ensure that the message the
receiver see's actually was sent by the purported publisher of that
internet bitstream. Who has seen it before offers nothing of interest.
thanks
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-639
Many folks use edge devices that look/act like an mta but is antispam/av
oriented. Dropping a dkim plugin should be no more dificult that deploying a
new av engine.
thanx,
bll
-Original Message-
From: [EMAIL PROTECTED] on behalf of Michael Thomas
Sent: Fri 3/31/2006 6:32 PM
To: Mark Del
We are a rather smallish ISP that handles about 40 mil mail messages a
day. I am talking about signing and verifying. DNS rollout should be a
matter of updating the proper record with a policy statement (whatever
that turns out to be) and a public key.
This is similar (except for the DNS part) to
The new found unchecked DKIM junk will always be with us.
DKIM base is not about determining acceptance policy, its about
identification of where the mail was handled last. SSP is an
authentication methodology, not part of the base.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
I like this version
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Thomas
Sent: Tuesday, April 04, 2006 4:09 PM
To: Paul Hoffman
Cc: ietf-dk
Yes, the case indicates importance, much like bold/italic or underline,
not meaning
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Arvel Hathcock
S
I would put the date of my next key change in there if I was going to
put anything.
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
___
NOTE WELL: This list operates according to
http://mipass
-Original Message-
From: [EMAIL PROTECTED] on behalf of Douglas Otis
Sent: Fri 4/7/2006 7:56 PM
To: Stephen Farrell
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] Proposal: get rid of x=
On Apr 7, 2006, at 1:53 PM, Stephen Farrell wrote:
> So a signature expiry failure doesn't m
Why would one care at all about when a sig was signed? A sig will either
pass muster or fail, if passed t=$date < curr_date raises a question of
expiration for the verifier. Obtaining the actual timestamp of when the
message was actually signed doesn't have much value for me.
Bill Oxley
Messagin
Keep x,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Clark
Sent: Tuesday, April 11, 2006 11:04 AM
To: ietf-dkim
Subject: [ietf-dkim] St
Lets not get into cellular mapping id's (SID)
-Original Message-
From: [EMAIL PROTECTED] on behalf of Jim Fenton
Sent: Wed 4/12/2006 8:00 PM
To: Murray S. Kucherawy
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] Proposed fingerprint tag description
Murray S. Kucherawy wrote:
> wil
As an ISP we route customer mail thru our mta's, we have business customers
that may use their own mta's. If a customer determines that entity at foo.com
wishes to use use bar.com's mta are you saying that bar.com should not sign on
foo.com's behalf? Will that no present a problem with the recep
Jim,
So if they use our mta's The signatures would in fact be from cox.com as
I don't believe there is a method to have us sign as foo.com as the
reverse lookup for foo.com wouldn't match where the mail is coming from,
unless I am missing a lot here.
Please explain,
Thanks,
Bill Oxley
Messaging E
I suspect in the real sysadmin world changing keys every week probably
isn't going to happen :-)
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hec
Mike said
*
For larger business and maybe ISP's even, our anecdotal experience at
Cisco is that our messaging and DNS folks don't have mich to do with one
another (changing mx records is not a ordinary event). Thus to achieve
key rollover, you'd need to create linkages between the gr
Responsibility is perhaps the wrong term. If a message is received past
the x=date it is stale and out of RFC impact. The sender is no more
responsible than sending a dkim sig without a public key, the message
becomes out of scope of the RFC and goes back to the verifying entity
for a policy decisi
If a MUA is the signer I would hope it is within its own administrative
domain. I haven't seen one yet that was outside of its own domain.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PR
Current
x= Signature Expiration (plain-text; RECOMMENDED, default is no
expiration). The format is the same as in the "t=" tag,
represented as an absolute date, not as a time delta from the
signing timestamp. Signatures MUST NOT be considered valid if
the current tim
Why would a verifyer refuse a message that had a value for x=?
"Verifiers MAY support checking of x= values or may refuse to
accept messages with the x= tag."
thanks,
Bill
-Original Message-
From: [EMAIL PROTECTED] on behalf of Douglas Otis
Sent: Wed 4/19/2006 6:01 PM
To: Stephen
What he said :-)
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hector Santos
Sent: Thursday, April 20, 2006 2:07 AM
To: Stephen Farrell
Cc: ietf-d
* 2. If the query for the public key fails to respond, the verifier
*SHOULD defer acceptance of this email. Verifiers SHOULD track
* continuous errors and SHOULD eventually accept the message
*object after a number of tries.
If the query for the public key fails to respo
In all cases we should be defining status of an event rather than conclusions
about potential remedies
-Original Message-
From: [EMAIL PROTECTED] on behalf of Eric Allman
Sent: Fri 4/28/2006 4:10 PM
To: [EMAIL PROTECTED]
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] When i= domain
v=0.2 v=1 and how about v=t for experimental?
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Allman
Sent: Thursday, May 18, 2006 2:02 PM
To: I
Appendix,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Allman
Sent: Tuesday, May 23, 2006 2:03 PM
To: Hector Santos
Cc: IETF DKIM WG
Subject:
Current statement 5.1 is fine, your changes introducing a -i requirement
bypasses the main thrust of DKIM. I signed this message/I did not sign
this message.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message---
Doug,
Just so that I can understand clearly,
TLD offers signing ability to those who don't want to develop or buy
their own.
So bar.com offers to sign for [EMAIL PROTECTED]
However by bringing cetificated messages frm [EMAIL PROTECTED] you are assigning
a reputation to that signature that DKIM p
Doug,
Thanks for the clarification, so an assertion for subdomains that can
"opt out" of parent signing systems so that [EMAIL PROTECTED] is
authenticated with sig and [EMAIL PROTECTED] is not?
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PR
Well I hate to insist that signers SHOULD do anything but doesn't the
issue of multiple signatures belong in a mail list addendum rather than
base? If I am forwarding should I want to forward an unverifiable
signature over my verifiable one, how would that impact my reputation?
Bill Oxley
Messag
Doug,
You are dictating what a sender and verifier must do. If I have a faulty
algorithm and change my keys to reflect the new ones I may not be
interesting in signing with what I consider a depreciated key. I signed
my mail, published a key and sent my mail. A receiver who gets old mail
that does
Just want to clarify
You want to ensure that wildcards and i,g tags can delimit subdomains,
is that correct?
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Be
At this point I tend to support Doug's position that we "allow" wildcard
entries on both sides of the "@" to delimit abuse.
hanks,
Bill
-Original Message-
From: [EMAIL PROTECTED] on behalf of Douglas Otis
Sent: Fri 6/9/2006 4:27 PM
To: Stephen Farrell
Cc: ietf-dkim@mipassoc.org
Subject:
Dave,
if you are speaking to the
http://mipassoc.org/dkim/info/DKIM-Intro-Allman.html it looks good except the
piece at the bottom of page 6
:::Not an anti-spam technology by itself
should be amplified
:::Not an anti-spam technology by itself but a methodolgy to clearly identify a
responsibl
Dave,
This document fine except for the following section
"Usually, email is i/o-intensive, with unused
computational capacity. So, it is likely that no new hardware will
be required."
This should be deleted. For example if others in my organization who
have not followed the mailing list we
(forgot to hit reply to all)
Eliot,
I think we should treat the issue by stating that in the mixed
environments currently being tested a 10 to 15% cpu usage has been
noted. This will allow the SA types to adequately engineer a DKIM
solution based on their layout. When you think of all the edge
proc
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
Number 1 below is partially true. I can send mail that appears to be
from someone else that cannot be tracked back to the actual originating
IP but appears to be from elsewhere, this is what
With no headers at all being signed, a signature should still be either
valid or invalid and therefore still useful. Don't NEED headers for
base.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [E
Good? Probably not, useful, not really but that is a policy thingee.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Hansen
Sent: Thurs
On the face of this it looks like a third party is molesting the message
after signing but before delivery. If the third party does not currently
do DKIM then the signature will result in failure. If the third party is
DKIM aware then it could verify the signature, make needed changes then
re-sign
Scott,
I think that each domain would have a public key and the aggregator MTA
that is shared would sign on behalf of that domain
Jobob.com uses mx.isp.com to send mail
jobob.com would have a dns record containing public key information
mx.isp.com would sign using jobob.com keys.
Now conversely
My understanding as well that subdomains should be a separator, not the
selector function
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Da
Scott,
I don't know if you have looked at Hector Santos policy document, he
does a very good job of assigning values and tags that define needed
policies.
http://isdg.net/public/ietf/drafts/draft-santos-dkim-dsap-00.html
http://isdg.net/public/ietf/drafts/draft-santos-dkim-dsap-00.txt
we should a
My requirements
I sign all
I sign nothing
I sign only 3rd party
I sign all and 3rd party
I sign some mail
My Policy/Practice
I sign all - every piece of mail purported to be from me must be signed
I sign nothing - If mail arrives with a DKIM sig I didn't send it
I sign only 3rd party - I only
As an example, an ISP that has 10k business customers who potentially
will want signed mail a
Commercial.isp.com signing domain would assert
I only sign 3rd party
Using current software I would only sign customers that have been
pre-approved. If those customers SPAM for whatever reason, neglect or
Scott,
Perhaps an easier way, instead of you having to manage a DNS policy
record, you offload that to your provider
Policy.DKIM.foo.bar.com is a alias to dkim.provider.com who states the
policy you request. When changing outbound email providers the new
provider aliases policy.foo.bar.com to new.d
A recipient will then have a valid party to complain to which is better
than blocking a domain that has been spoofed.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: John Levine [mailto:[EMAIL PROTE
According to my DNS admin
"Why are you putting all that crap in DNS? The MTA can do that!! Or use
a web page!"
Just passing along a reaction I got.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From:
"Scenario B is technically possible but makes no sense. If you have the
ability to sign mail, why wouldn't you sign your own?"
because this is a special purpose domain simply to manage 3rd party
signage, the domain itself will not send any mail. Saying I only sign
3rd party would allow people to
The query mechanism could certainly point to an alternate retrieval
mechanism such as http for long policy statements.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EM
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
How about checking SSP first to see if they sign at all :-)?
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Delany
Sent: Monday, July 31, 200
Can you taken a look at the DSAP proposal or the link Hector
provided with the SSP verification Interface Diagram?
It does appear to flow this question
thanks
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
As long as we all remember that bad actors can get a domain, populate
dkim keys and ssp then send spam until they are noticed and shutdown.
Policy will be by the receiver that a message that fails dkim/ssp is
flagged for a closer examination than a message that passes both dkim
and ssp but all mai
I am not going to recommend whitelisting ANY domain unless I own it.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: John L [mailto:[EMAIL PROTECTED]
Sent: Monday, July 31, 2006 10:15 PM
To: Oxley
Perhaps his provider signs all outgoing mail regardless without having
to parse a list of who signs their own mail locally. Daemon is also
right, spam from bots inside his ISP space will be sending mail that is
signed by the provider until they are stopped by the abuse department.
Thanks,
Bill Oxl
Benefit,
Assertion by the signer to affect the policy of the receiver. Agreed
accidental DOS possibility by a (un)helpful relayer.
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailt
All,
As an ISP there are 2 things I will
require to implement SSP or another DKIM policy methodology
A. I only sign 3rd party
B. I sign exclusively any other sigs make
mine broken
There can be other policies but I require
those two and am wondering why there seems to be a tremendous pus
If I understand this right, a local domain that relays thru my 3rd party
MTA may have its own signing policy. I then sign as 3rd party, an ssp
lookup on example.com sees the third party only policy and also a
foo.example.com shows a relaxed signing policy. Both sigs decrypt as
valid. That is a good
Dave,
As a receiver I would like to know who sent the message, who signed the
message and any further information that might allow me to assign a spam
score accurately for further edge processing.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL
All,
Maybe I am confused on how email works.
Sending,
A. I want to send a message. My MTA looks up the MX record of the
receiving party and initiates a bind and a conversation on port 25 with
the receiver's MTA. As part of that conversation headers are exchanged
one of which is DKIM. I then pass th
One would assume that an additional signing algorithm has been introduced and
not using the TOM SWIFTY algorithm I would refer to base and treat your message
as unsigned.
thanks,
-Original Message-
From: [EMAIL PROTECTED] on behalf of John L
Sent: Fri 8/4/2006 2:05 PM
To: DKIM List
Subj
> Actually I have a business plan where people pay me to make the
reports on their behalf.
>
> Making reports could improve your reputation.
>
That's a fine idea, use the extortion plan of some blacklisters for
whitelisters. Several of these plans are in the market. I get howled at
all the time bec
Not before Doug defines client a little more clearly :-)
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Damon
Sent: Friday, August 04, 2006 10:01 P
+1
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Delany
Sent: Friday, August 04, 2006 10:58 PM
To: ietf-dkim@mipassoc.org
Subject: Re: [ietf-
1 - 100 of 288 matches
Mail list logo
