Popowycz, Alex writes: > Vlatko Please don't feed the trolls (including me, I'm regretting my role in this thread). There's work to be done here, and Vlatko seems uninterested in helping with it (eg, when asked for specific references, he says "I'm not a search engine").
What I gather from Vlatko's posts is that there is a use case where an entity (eg, a small business; called "ENTITY" below) wants its own domain (called "OWNDOM" below) referenced in correspondence, but prefers not to maintain a single presence (even as a VPS) on the Internet. Instead, ENTITY uses an ESP (below, "ESP" denotes aparticular ESP) to send and receive mail, and ESP provides the usual set of authentication services for its host. The need is to provide credentials and an authentication protocol for mailboxes in OWNDOM that will satisfy identity alignment, and all actors will voluntarily participate. SPF would require that ESP permit ENTITY to specify MAIL FROM.[1] Then ENTITY publishes an SPF record pointing to ESP's MXs and thus provides identity alignment for OWNDOM. However, this requires that ESP trust that ENTITY has the right to use OWNDOM, and that may be problematic. Eg, spammers could sweep the DNS looking for SPF records pointing to ESP and then specify a domain publishing such a record in MAIL FROM. Perhaps an additional protocol could be designed so that registrars can vouch for entities (OAuth2?) but that's outside the scope of this post. DKIM seems to be easy, and requires no cooperation as long as ESP passes mail through unchanged except for its own signature and trace fields. ENTITY just generates a keypair, publishes the public key through its DNS, and DKIM signs its own messages with the private key. This should be a SMOP (eg, Python has at least two packages on PyPI for handling DKIM). Identity alignment for OWNDOM will be satisfied. An alternative would be for ENTITY to trust ESP a little bit, have ESP generate the keypair, send the public key to ENTITY which publishes an appropriate DKIM resource, and then the ESP DKIM signs for ENTITY (and optionally for itself as well). If this capability isn't available at ESP, that too should be a SMOP (basically a database lookup to get the key for ENTITY). Identity alignment for OWNDOM will be satisfied. This last approach seems like a business opportunity for ESPs. Am I missing something? I don't understand why Vlatko thinks he has a problem that needs a new protocol to solve. What am I missing? Footnotes: [1] It's true that ENTITY could publish records in OWNDOM pointing to the MXs as hosts (CNAME), but then HELO would be valid for any user of ESP spoofing OWNDOM AFAICS. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
