Douglas Otis wrote: > On 9/8/10 11:23 AM, Jim Fenton wrote: >> No, I'm suggesting that they publish an explicit dkim=unknown if that is >> their intent. > It seems unlikely dkim=unknown will support their goal of ensuring most > phishing attempts are blocked. It also seems unlikely this assertion > will override rules intent on eliminating subdomain spoofing not > otherwise handled by ADSP dkim=discardable. > > The TPA-Label draft attempted to avoid the dilemma created by > dkim=discardable in respect to normal email use and its undefined > handling of subdomains. > > IMHO, their best choice is likely to keep their corporate domain > separate from their web presence and its transactional email.
+1. The worst thing they can do is to have a relaxed policy with anything resembling their brand name and domain, especially corp.paypal.com, in public channels. The unfortunate thing is that we currently warming up systems to view 3PS signatures as an "acceptable" idea and the only way to deal with it is the single source vouching of the last signer in the path. That single source vouching isn't going to happen. Not every verifier is going to be buying into a single vendor vouching for signers. > If they do > follow your advice, their results would prove informative for others. DKIM=UNKNOWN will only provide value for SSA (Special Signing Arrangement). It will negative impact a high value domain like paypal when it begins to negatively warm up systems that don't have an association with a SSA. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
