On Jun 8, 2014, at 12:15 AM, Stephen J. Turnbull <[email protected]> wrote:
> I don't think it's that easy -- the domains that matter most are the > big public providers and ISPs. The domain-based 3rd-party auth > schemes have a severe scaling problem in those cases. I think the > dkim-delegate scheme actually is likely to scale better, and adapt > better to individual user needs. Dear Stephen, Considered how weak signing schemes can be abused, especially for small messages. Short expiry offers little protection nor will capturing To: or Cc: headers or including BCC domains in the 'D' list. This solves a parochial interest and overlooks other serious issues. Email is only protected by assessing validated source domains. Once a source is validated, a TPA-Label should allow the DMARC domain to grant needed alignment exceptions AND retract them when abused. That is a feature missing in a DKIM delegation scheme that also seems likely to imperil safe use of BCC. Frankly, DMARC already exposes those even merely receiving messages. Nor will this scheme satisfy uses exemplified by services offered by Intuit. It seems the greater good is to adopt a scheme able to handle any eventual abuse and encompasses all the issues. If it is worth doing, it is worth doing right. Regards, Douglas Otis
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
