- Original Message -
From: "John Levine" <[EMAIL PROTECTED]>
Sent: Friday, September 08, 2006 12:48 PM
Subject: Re: [ietf-dkim] The basic problem with SSP
>>2. I don't care about the breakage and I'd prefer you
>> reject unsigned mail.
>
> Not to put too fine a point on it, but the fund
>The best way to help end-users avoid getting phished it to not accept
>phishing messages for delivery. DKIM-SSP where strict policy
>statements are published offer a mechanism for this.
I get a message from [EMAIL PROTECTED] It has a valid
signature. I check the SSP for ebay-verify.com, which
On Saturday 09 September 2006 13:26, John Levine wrote:
> >The best way to help end-users avoid getting phished it to not accept
> >phishing messages for delivery. DKIM-SSP where strict policy
> >statements are published offer a mechanism for this.
>
> I get a message from [EMAIL PROTECTED] It ha
>> >The best way to help end-users avoid getting phished it to not accept
>> >phishing messages for delivery. DKIM-SSP where strict policy
>> >statements are published offer a mechanism for this.
>>
>> I get a message from [EMAIL PROTECTED] It has a valid
>> signature. I check the SSP for ebay-v
On Saturday 09 September 2006 14:35, John Levine wrote:
> >> >The best way to help end-users avoid getting phished it to not accept
> >> >phishing messages for delivery. DKIM-SSP where strict policy
> >> >statements are published offer a mechanism for this.
> >>
> >> I get a message from [EMAIL PR
On Sep 9, 2006, at 10:40 AM, Scott Kitterman wrote:
On Saturday 09 September 2006 13:26, John Levine wrote:
The best way to help end-users avoid getting phished it to not
accept
phishing messages for delivery. DKIM-SSP where strict policy
statements are published offer a mechanism for this.
On Sat, 2006-09-09 at 18:35 +, John Levine wrote:
> >> >The best way to help end-users avoid getting phished it to not accept
> >> >phishing messages for delivery. DKIM-SSP where strict policy
> >> >statements are published offer a mechanism for this.
> >>
> >> I get a message from [EMAIL PROT
>It seems to me you may be saying that a look-alike domain can be made
>to look more authentic than the actual domain. Is that right? If
>so, I'd like to understand that.
It doesn't have to look more authentic. It only has to look as
authentic. With SSP, everyone can publish equally authentic
On Saturday 09 September 2006 15:12, John Levine wrote:
> >It seems to me you may be saying that a look-alike domain can be made
> >to look more authentic than the actual domain. Is that right? If
> >so, I'd like to understand that.
>
> It doesn't have to look more authentic. It only has to look
John Levine wrote:
It seems to me you may be saying that a look-alike domain can be made
to look more authentic than the actual domain. Is that right? If
so, I'd like to understand that.
It doesn't have to look more authentic. It only has to look as
authentic. With SSP, everyone can publi
On Sat, Sep 09, 2006 at 12:55:44PM -0700, Dave Crocker wrote:
> The list discussion seems to be spending an awful lot of time on issues
> that are theoretical, poorly understand, and lacking in a clear
> community consensus that we need a solution.
>
> How is this productive?
While I agree with
On Sat, 9 Sep 2006, Dave Crocker wrote:
The list discussion seems to be spending an awful lot of time on issues that
are theoretical, poorly understand, and lacking in a clear community
consensus that we need a solution.
How is this productive?
Your own message is perfect example of unprod
On Sep 8, 2006, at 11:11 AM, Hector Santos wrote:
- Original Message -
From: "John Levine" <[EMAIL PROTECTED]>
Sent: Friday, September 08, 2006 12:48 PM
Subject: Re: [ietf-dkim] The basic problem with SSP
2. I don't care about the breakage and I'd prefer you
reject unsigned mail.
On Sep 8, 2006, at 11:11 AM, Hector Santos wrote:
Anytime you send e-mail to someone, you're basically asking them
to do you a large favor by investing the effort to accept and
deliver it. Senders don't get to set rules about what recipients
can do.
If it isn't about SPAM, then what it
Hector Santos:
> >>2. I don't care about the breakage and I'd prefer you
> >> reject unsigned mail.
> >
> > Not to put too fine a point on it, but the fundamental question here
> > is why should the recipient care what the sender claims he prefers?
> >
> > Anytime you send e-mail to someone, you'r
- Original Message -
From: "Steve Atkins" <[EMAIL PROTECTED]>
>> Whats the purpose?
>
> The purpose is that the recipient knows who is responsible
> for the mail.
And you honestly believe there is no product liabilities here? I really
don't care who is responsible as long as its not me
- Original Message -
From: "Wietse Venema" <[EMAIL PROTECTED]>
To:
Sent: Friday, September 08, 2006 2:52 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
> > If thats the case, than explain why should receivers should bother
> > processing DKIM signatur
Wietse Venema wrote:
The purpose of a valid DKIM signature is to identify the party that
signed the message. Whether this is a first-party or third-party
signature is largely irrelevant. It's about accountability.
It is interesting how vigorously and persistently this continues to be
misund
- Original Message -
From: "Dave Crocker" <[EMAIL PROTECTED]>
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
> Wietse Venema wrote:
>
>> The purpose of a valid DKIM signature is to identify the party that
>> signed the message. Whether this is a first
> The purpose of a valid DKIM signature is to identify the party that
> signed the message.
Here, you are completely correct.
> Whether this is a first-party or third-party signature is largely
> irrelevant.
Here, you are correct only if you restrict your vision to DKIM-BASE. Once we
start
On Sep 8, 2006, at 1:59 PM, Hector Santos wrote:
Are you expecting them to be DKIM-READY to display this information
themselves?
Unless the MDA modifies the message, DKIM can be verified at the MUA
or even the web client for that matter. DKIM working in conjunction
with MUA annotations
Arvel Hathcock:
> > The purpose of a valid DKIM signature is to identify the party that
> > signed the message.
>
> Here, you are completely correct.
>
> > Whether this is a first-party or third-party signature is largely
> > irrelevant.
>
> Here, you are correct only if you restrict your vis
judging by what shows up at my MTA's 80% of the market has a sharp disagreement
with you.
" However, the market environment is to ELIMINATE the bad
transactions and the market direction is being in this direction."
If you switch market to "receivers market" I'll agree
thanks,
Bill
Wietse Venema wrote:
Here is an example why first-party signatures can be dangerous.
Right.
They key point, to me, is that a signature by the rfc2822.From domain is
likely to help control against some existing types of phishing, but it
clearly will not help against others.
Worse, we have
On Saturday 09 September 2006 12:07, Dave Crocker wrote:
> Wietse Venema wrote:
> > Here is an example why first-party signatures can be dangerous.
>
> Right.
>
> They key point, to me, is that a signature by the rfc2822.From domain is
> likely to help control against some existing types of phishin
Scott Kitterman:
> On Saturday 09 September 2006 12:07, Dave Crocker wrote:
> > Wietse Venema wrote:
> > > Here is an example why first-party signatures can be dangerous.
...
> The best way to help end-users avoid getting phished it to not accept phishing
> messages for delivery. DKIM-SSP where st
On Saturday 09 September 2006 12:45, Wietse Venema wrote:
> Scott Kitterman:
> > On Saturday 09 September 2006 12:07, Dave Crocker wrote:
> > > Wietse Venema wrote:
> > > > Here is an example why first-party signatures can be dangerous.
>
> ...
>
> > The best way to help end-users avoid getting phi
Scott Kitterman:
> > Blindly believing DKIM-SSP gives a false sense of security, and
> > provides criminals with even more convincing ways to rob people.
> > I really recommend that you read my entire email message.
> >
> If you had said that Blindly believing [positive indications from]
> DKIM-SS
- Original Message -
From: "John Levine" <[EMAIL PROTECTED]>
To:
>> The best way to help end-users avoid getting phished it to not accept
>> phishing messages for delivery. DKIM-SSP where strict policy
>> statements are published offer a mechanism for this.
>
> I get a message from [EMA
On Sat, 2006-09-09 at 12:35 -0400, Scott Kitterman wrote:
> On Saturday 09 September 2006 12:07, Dave Crocker wrote:
> > Wietse Venema wrote:
> > > Here is an example why first-party signatures can be dangerous.
> >
> > Right.
> >
> > They key point, to me, is that a signature by the rfc2822.From
>
On Saturday 09 September 2006 14:10, Wietse Venema wrote:
> Scott Kitterman:
> > > Blindly believing DKIM-SSP gives a false sense of security, and
> > > provides criminals with even more convincing ways to rob people.
> > > I really recommend that you read my entire email message.
> >
> > If you ha
Dave Crocker wrote:
Wietse Venema wrote:
Here is an example why first-party signatures can be dangerous.
Right.
They key point, to me, is that a signature by the rfc2822.From domain
is likely to help control against some existing types of phishing, but
it clearly will not help against
Michael Thomas wrote:
Therefore, to the extent that anyone touts a DKIM-based mechanism
as defeating phishing, we run the risk of undermining all of DKIM's
credibility, by setting expectations far too high.
This is where Dave Oran's Preparation H disclaimer comes into effect:
Preparation H d
- Original Message -
From: "Scott Kitterman" <[EMAIL PROTECTED]>
To:
Sent: Saturday, September 09, 2006 2:27 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
> I would call forcing phishers to switch from
> exact domains to look-alikes progress.
+1.
SSP
- Original Message -
From: "Dave Crocker" <[EMAIL PROTECTED]>
To: "Michael Thomas" <[EMAIL PROTECTED]>
> My comment was not that it is bad to have partial solutions,
> but that it is bad to set expectations inappropriately and
> that the discussion on this list suggests that we are at
>
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "John Levine" <[EMAIL PROTECTED]>
> I agree. A policy of any form will be unable to
> reliably block phishing messages or identify what
> messages should be annotated in isolation of other
> information. However, DKIM rel
- Original Message -
From: "John Levine" <[EMAIL PROTECTED]>
Sent: Saturday, September 09, 2006 3:12 PM
Subject: Re: [ietf-dkim] SSP = FAILURE
> Claims that SSP is a meaningful anti-phishing tool
> are nuts.
No one saying it is. Maybe Doug is, but I believe he
On Sep 9, 2006, at 12:23 PM, Hector Santos wrote:
I agree. A policy of any form will be unable to reliably block
phishing messages or identify what messages should be annotated in
isolation of other information. However, DKIM related information
can be applied beyond the MTA. Think outs
Inc.
http://www.santronics.com
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
Cc:
Sent: Saturday, September 09, 2006 6:19 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
>
> On Sep 9, 2006, at
Hector Santos:
> Just so you know, no one, atleast not me, has said that SSP or DKIM-BASE
> itself will protect against near-domain style spoofing A.K.A phishing.
Actually, the discussion has demonstrated that SSP can't detect
look-alike phishing, while DKIM-BASE can.
This involves a list of trus
On Sat, 2006-09-09 at 19:05 -0400, Hector Santos wrote:
> Doug,
>
> Not everyone will be able to produce a cross the board solution. Only the
> "Microsofts" and the likes will have the capacity to address a consistent
> solution across their applications.
Browser and MUAs are extensible in a man
On Saturday 09 September 2006 19:16, Wietse Venema wrote:
> Hector Santos:
> > Just so you know, no one, atleast not me, has said that SSP or DKIM-BASE
> > itself will protect against near-domain style spoofing A.K.A phishing.
>
> Actually, the discussion has demonstrated that SSP can't detect
> lo
On Sat, 2006-09-09 at 21:27 -0400, Scott Kitterman wrote:
> On Saturday 09 September 2006 19:16, Wietse Venema wrote:
> > Hector Santos:
> > > Just so you know, no one, atleast not me, has said that SSP or DKIM-BASE
> > > itself will protect against near-domain style spoofing A.K.A phishing.
> >
>
Wietse Venema wrote:
>Criminals switch strategy, and use look-alike domains to make their
>mail look even more authentic than it does today.
>
>If this is how SSP stops phishing mail, we have achieved nothing.
I can NOT stop burglaries, but I still have locks on my doors. But
SSP is BETTER than a
On Sep 11, 2006, at 8:04 AM, Thomas A. Fine wrote:
With SSP, I can only receive mail that looks ALMOST like it is from
one of my orgs. This is huge. This gives the user layer the
ability to quickly, accurately, and precisely differentiate between
fake and real messages. That's what SSP
Thomas A. Fine:
> Wietse Venema wrote:
> >Criminals switch strategy, and use look-alike domains to make their
> >mail look even more authentic than it does today.
> >
> >If this is how SSP stops phishing mail, we have achieved nothing.
>
> I can NOT stop burglaries, but I still have locks on my do
On 9/11/06, Douglas Otis <[EMAIL PROTECTED]> wrote:
On Sep 11, 2006, at 8:04 AM, Thomas A. Fine wrote:
> With SSP, I can only receive mail that looks ALMOST like it is from
> one of my orgs. This is huge. This gives the user layer the
> ability to quickly, accurately, and precisely differenti
Wietse Venema wrote:
>Thomas A. Fine:
>> Wietse Venema wrote:
>> >Criminals switch strategy, and use look-alike domains to make their
>> >mail look even more authentic than it does today.
>> >
>> >If this is how SSP stops phishing mail, we have achieved nothing.
>>
>> I can NOT stop burglaries, bu
ntos, Santronics Software, Inc.
http://www.santronics.com
- Original Message -
From: "Thomas A. Fine" <[EMAIL PROTECTED]>
To: ;
Sent: Monday, September 11, 2006 11:04 AM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
> Wietse Venema wrote:
> >Criminals switch str
On Sep 11, 2006, at 11:13 AM, Damon wrote:
There are only so many look-alike domains compared to as it is now,
being able to come from anywhere. If we were able to just focus on
look-alike's (as an admin) it would make things a lot simpler.
John Levine offered a fairly representative sampl
Hector Santos wrote:
Thomas,
The draft specifications, the official SSP-02,
Just a quick clarification: Jim's ssp-02 is not now an official
anything. We are still working ssp requirements and having been
through this extended discussion, I expect us to be in a position
to work through those
On 2006-09-08 12:34, Hector Santos wrote:
If the signature is good, then the recipient can A) send
feedback to the right place and B) use the senders reputation
to make decisions about delivery
But where was the acceptance criteria in the first place? That it passed
the DKIM test?
The accep
- Original Message -
From: "J.D. Falk" <[EMAIL PROTECTED]>
To: "IETF-DKIM"
>>> If the signature is good, then the recipient can A) send
>>> feedback to the right place and B) use the senders reputation
>>> to make decisions about delivery
>>
>> But where was the acceptance criteria in th
Thomas A. Fine:
> Wietse Venema wrote:
> >Thomas A. Fine:
> >> Wietse Venema wrote:
> >> >Criminals switch strategy, and use look-alike domains to make their
> >> >mail look even more authentic than it does today.
> >> >
> >> >If this is how SSP stops phishing mail, we have achieved nothing.
> >>
Wietse Venema wrote:
What was the advantage of SSP with look-alike domains?
To find large unproductive ratholes? Neither DKIM or SSP claim to have
any direct effect on look-alike domain names, and there's nothing in our
charter that says that we'll be doing anything about that ever. DKIM/S
On 9/12/06, Michael Thomas <[EMAIL PROTECTED]> wrote:
Wietse Venema wrote:
>
>What was the advantage of SSP with look-alike domains?
>
>
To find large unproductive ratholes? Neither DKIM or SSP claim to have
any direct effect on look-alike domain names, and there's nothing in our
charter that s
> >What was the advantage of SSP with look-alike domains?
> >
> To find large unproductive ratholes? Neither DKIM or SSP claim to have
> any direct effect on look-alike domain names, and there's nothing in our
DKIM_BASE allows a recipient to distinguish mail from the bank from
look-alike mail tha
Wietse Venema wrote:
>> >What was the advantage of SSP with look-alike domains?
>> >
>> To find large unproductive ratholes? Neither DKIM or SSP claim to have
>> any direct effect on look-alike domain names, and there's nothing in our
>
>DKIM_BASE allows a recipient to distinguish mail from the ba
On Sep 12, 2006, at 9:22 AM, Wietse Venema wrote:
What was the advantage of SSP with look-alike domains?
To find large unproductive ratholes? Neither DKIM or SSP claim to
have any direct effect on look-alike domain names, and there's
nothing in our
DKIM_BASE allows a recipient to distin
- Original Message -
From: "Wietse Venema" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, September 12, 2006 12:22 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
>>>What was the advantage of SSP with look-alike domains?
>>>
>> To find large unp
end user.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
- Original Message -
From: "Thomas A. Fine" <[EMAIL PROTECTED]>
To: ;
Sent: Tuesday, September 12, 2006 12:41 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
>> SSP has an a
On Sep 12, 2006, at 9:41 AM, Thomas A. Fine wrote:
Without SSP, users have two opportunities for making mistakes in
verifying their mail. They can fail to notice that it is unsigned,
or they can fail to notice that it is from a wrong domain.
SSP that blocks unsigned messages still offers
Hector Santos:
> >>>What was the advantage of SSP with look-alike domains?
> >>>
> >> To find large unproductive ratholes? Neither DKIM or SSP claim
> >> to have any direct effect on look-alike domain names, and
> >> there's nothing in our
> >
> > DKIM_BASE allows a recipient to distinguish mail f
> SSP has an advantage when we assume that criminals
> are stupid enough to keep sending forged mail. It
> has no advantage with look-alike attacks. Guess what
> criminals will do.
They will stop using real domains and start using other domains (assuming your
logic plays out).
This is PROG
Major +1
--
Arvel
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Thomas
Sent: Tuesday, September 12, 2006 8:58 AM
To: Wietse Venema
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
Wietse Venema wrote:
>
>Wh
- Original Message -
From: "Wietse Venema" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, September 12, 2006 1:30 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
>> hm, unless I didn't follow you right, I fail to
>> see the distinction or your po
On Sep 12, 2006, at 10:49 AM, Arvel Hathcock wrote:
SSP has an advantage when we assume that criminals
are stupid enough to keep sending forged mail. It
has no advantage with look-alike attacks. Guess what
criminals will do.
They will stop using real domains and start using other domains
(a
On Sep 12, 2006, at 10:59 AM, Hector Santos wrote:
hm, unless I didn't follow you right, I fail to see the
distinction or your point.
I get mail that pretends to be from my bank. The SSP says the mail
is 100% pure non-forged. However, the DKIM-BASE signing domain is
not in my li
12, 2006 1:49 PM
Subject: RE: [ietf-dkim] SSP = FAILURE DETECTION
> Major +1
>
> --
> Arvel
>
> -Original Message-
> From: Michael Thomas
> Sent: Tuesday, September 12, 2006 8:58 AM
> To: Wietse Venema
> Cc: ietf-dkim@mipassoc.org
> Subject: Re: [ietf-dkim
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
>>> Wietse wrote:
>>>
>>> I get mail that pretends to be from my bank. The SSP
>>> says the mail is 100% pure non-forged. However, the
>>> DKIM-BASE signing domain is not in my list of tr
On 2006-09-11 13:09, Hector Santos wrote:
The acceptance criteria is completely external to DKIM -- Steve
labeled it as "B" in the portion you quoted above.
Why is this such a difficult concept?
Nothing at all, but reputation is out of scope. Or is it? Where is the
specification? Whose rep
- Original Message -
From: "J.D. Falk" <[EMAIL PROTECTED]>
> Yahoo! will use Yahoo!'s internal systems to make our own internal
> decisions about each message. AOL will, I'm sure, use AOL's.
> Everyone will make their own decision in their own way, just
> like today -- perhaps with a 3rd
On Sep 11, 2006, at 5:05 PM, Hector Santos wrote:
There are so many issues with this DKIM-BASE + LOCAL POLICY UNKNOWN
that I find it hard to see how it justifies the risk of signing.
What issues and risks do you refer to with respect to signing?
How does policy ameliorate these issues and r
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
Cc: "IETF-DKIM"
Sent: Monday, September 11, 2006 8:22 PM
Subject: Re: accept, deny, or other delivery decisions (was Re: [ietf-dkim]
SSP= FAIL
On 2006-09-11 17:05, Hector Santos wrote:
- Original Message -
From: "J.D. Falk" <[EMAIL PROTECTED]>
Yahoo! will use Yahoo!'s internal systems to make our own internal
decisions about each message. AOL will, I'm sure, use AOL's.
Everyone will make their own decision in their own way,
On Sep 11, 2006, at 5:50 PM, Hector Santos wrote:
On Sep 11, 2006, at 5:05 PM, Hector Santos wrote:
There are so many issues with this DKIM-BASE + LOCAL POLICY
UNKNOWN that I find it hard to see how it justifies the risk of
signing.
What issues and risks do you refer to with respect to si
- Original Message -
From: "J.D. Falk" <[EMAIL PROTECTED]>
>> In what way?
> IP address is an input. Each URL in the message is an input.
> Virus scanning results on attachments are an input.
> Filtering hasn't been binary for years.
Not sure of the "binary" relationship, but these are
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
>> - Inconsistent results.
>
> Either the signature is valid or it is not. This does not depend
> upon policy
> ...
> Can you be a bit more specific about what do you mean by
> inconsistent results?
I was referrering to the
On Sep 11, 2006, at 7:07 PM, Hector Santos wrote:
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
- Inconsistent results.
Either the signature is valid or it is not. This does not depend
upon policy
...
Can you be a bit more specific about what do you mean by
inconsi
On Monday 11 September 2006 22:38, Steve Atkins wrote:
> On Sep 11, 2006, at 7:07 PM, Hector Santos wrote:
> > - Original Message -
> > From: "Douglas Otis" <[EMAIL PROTECTED]>
> >
> >>> - Inconsistent results.
> >>
> >> Either the signature is valid or it is not. This does not depend
> >>
On Monday 11 September 2006 21:29, J.D. Falk wrote:
> On 2006-09-11 17:05, Hector Santos wrote:
> > - Original Message -
> > From: "J.D. Falk" <[EMAIL PROTECTED]>
> >
> >> Yahoo! will use Yahoo!'s internal systems to make our own internal
> >> decisions about each message. AOL will, I'm su
On Sep 11, 2006, at 8:08 PM, Scott Kitterman wrote:
On Monday 11 September 2006 22:38, Steve Atkins wrote:
On Sep 11, 2006, at 7:07 PM, Hector Santos wrote:
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
- Inconsistent results.
Either the signature is valid or it is
On Mon, 11 Sep 2006 20:36:52 -0700 Steve Atkins <[EMAIL PROTECTED]> wrote:
>So describing "inconsistent results" as a "risk of signing" seems
>something of a non-sequitur. Or possibly I'm misunderstanding,
>in which case I'm sure Hector will expand on the issue, with a
>clearer explanation of what
>On 2006-09-11 17:05, Hector Santos wrote:
> ...
>IP address is an input. Each URL in the message is an input. Virus
>scanning results on attachments are an input. Filtering hasn't been
>binary for years.
It still is where Hector lives.
R's,
John
On Mon, 2006-09-11 at 22:07 -0400, Hector Santos wrote:
> - Original Message -
> From: "Douglas Otis" <[EMAIL PROTECTED]>
>
> >> - Inconsistent results.
> >
> > Either the signature is valid or it is not. This does not depend
> > upon policy
> > ...
> > Can you be a bit more specific abou
On 2006-09-11 18:54, Hector Santos wrote:
If there a consistent ACCEPT, DENY and DELIVERY DECISIONS method
so that when XYZ.COM sends signed mail to users at YAHOO.COM and
AOL.COM, you don't get inconsistent results?
Could you rephrase the question?
Sorry, that should of started with "Is th
- Original Message -
From: "J.D. Falk" <[EMAIL PROTECTED]>
>> In short, what I wrote above with a domain achieving different DKIM-BASE
>> results depending on which DKIM-BASE only systems it sends its mail to.
>
> So, you're concerned that senders won't be able to know beforehand how
> th
On Wed, 2006-09-13 at 01:49 -0400, Hector Santos wrote:
> It is because of that inconsistent DKIM reception handling unknowns
> between different systems, we risk encouraging DKIM bad actors to
> proliferate against the new creation of different potential targets.
>
> In summary, the concern is th
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
>> It is because of that inconsistent DKIM reception handling unknowns
>> between different systems, we risk encouraging DKIM bad actors to
>> proliferate against the new creation of dif
On Tue, Sep 12, 2006 at 12:07:00AM -0400, Scott Kitterman wrote:
> Why do senders want to accept this risk?
Because they don't have a choice. At least ESPs don't. When Microsoft
said:
'If you do Sender-ID, you have a better chance of the message going
into the Inbox'.
'If you do Sender Score Cer
On Wed, 2006-09-13 at 08:48 -0400, Jeff Macdonald wrote:
>
> Even when a client has both of these, blocks/'missing mail'/'bulk
> folder placement' still happen.
>
> Currently system don't seem to take past reputation into
> consideration. For instance, a customer could have a great reputation
> fo
On Sep 13, 2006, at 4:35 AM, Hector Santos wrote:
It is because of that inconsistent DKIM reception handling
unknowns between different systems, we risk encouraging DKIM bad
actors to proliferate against the new creation of different
potential targets.
In summary, the concern is that the
On 2006-09-12 22:49, Hector Santos wrote:
Anyway, I don't think you interpreted the concern incorrectly.
Certainly possible. I hope we see a wider variety of real-world
implementations soon so that we can figure out what's actually going to
happen, rather than just guessing (whether those g
93 matches
Mail list logo