A review of the DKIM threat draft may help establish realistic
expectations for the role that DKIM might play. This review should
not be seen as either condemnation or endorsement, but rather
estimating the service DKIM is able to safely provide as a valuable
extension to SMTP.
A statement made regarding white-listing may have been
misunderstood. DKIM as a basis for acceptance should be limited to
signing-domains able to tightly control the messages being signed.
Those domains able to exercise this level of control represents a
sizable list of companies and organizations. Email recognized on a
white-list as being from one of these "select" domains can be safely
marked as "good" at the MTA or MUA. For this expectation, DKIM
offers a practical solution. If there are problems, perhaps due to
financial relationships and related obligations pertaining to
possible marking services, these can be dealt with on a per event basis.
The DKIM base draft provides an excellent vehicle for introducing
email from bulk providers and large enterprises. A white-list
recognition of the select source, and the messages being then marked
as "good," provides significant value. Nevertheless, there are many
email sources that are not tightly controlled, such as email
providers for the general public. The low costs of public-service
tends to preclude the requisite vetting. For those providing public-
services, the DKIM signing-domain should be excluded from a white-
list that provides assured acceptance, or this invites abuse.
DKIM offers a means to determine the initial source of the message.
Only with irrefutable fraudulent activity on the part of the DKIM
signing-domain, would block-listing the domain be a reasonable
response. The risk of a signature being replayed necessitates a high
level of abuse tolerance, or many public-service domains could become
blocked. From within these public-service domains, white-listing or
block-listing could still be employed by the individual recipient.
The individual lists should include unique source identifiers within
the signing-domain, and even the signing role. The unique pairing of
sender::recipient identifiers offers protection from replay
exploits. When the recipient is attempting to create white-lists
from within public-service domains, having public-service domains
indicate whether they are acting as a mediator or MSA assists in the
individual white-listing effort, as this could eliminate some
spurious spoof alerts. The individual is able to employ "out-of-
band" methods to identify the message source and overcome possible
deceptive use of a signing role. The individual white-list could
then silently exclude marking "good" any message from a mediator
bearing the same From email-address, for example.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org