On Thursday, April 30, 2015 06:45:25 PM John Levine wrote: > >I recall some earlier discussion about encoding information in From local > >part, but if for no other reason, automatic addition of new email addresses > >to contacts by some MUAs makes that highly problematic. > > This trick also has patent problems. > > >DNS query to message-id.yamfsidlocalpart._dmarc.domain. The sender then > >replies pass/fail/error. > > I think you will find that his has impossible scaling problems, > particularly if you care enough about security to use DNSSEC to deter > the usual poisoning attacks. > > There have been a variety of proposals over the years that publish > per-message data out of band, so the recipient can check and see if > the message is OK, and they all have the same scaling problem. > > Besides, you can get the same effect by taking whatever would be in > that DNS record and putting it in the message, with a crypto signature > to prove that it's real. The signature's validation key may come from > the DNS, but that's OK since one validation key can be shared over > many messages. We've just reinvented DKIM, perhaps with an extra > field or two to include the yaimfs stuff. If you're worried about > message mutations breaking the signature, don't sign the stuff that's > likely to mutate.
Yeah. If you want something signed, then it becomes equivalent to the fs= proposal. To be effective, it would have to have something based on database queries, not a static zone, so I can imagine DNSSEC problems. Is having a non-DNSSEC subdomain that has no real hosts in it problematic? RBLs seem to scale reasonably well, although I realize per message is more of an issue than per sending IP. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
