On 2/10/23 2:11 PM, Wei Chuang wrote:
On Fri, Feb 10, 2023 at 1:48 PM Michael Thomas <[email protected]> wrote:
| When large amounts of spam are received by the mailbox provider,
the
| operator’s filtering engine will eventually react by dropping the
| reputation of the original DKIM signer.
I think this needs some amount of justification. It's really easy
to hand wave this and it's certainly a common assumption, but it's
not a given. What exactly does "dropping the reputation" actually
mean in practice? Does it mean for certain senders, certain
classes of senders, the whole sending domain? How are such drops
weighted? What are plausible metrics the receiver might use? One
mailbox sending a lot of spam but otherwise the sending domain
seems to be behaving well, seems pretty relevant to the topic.
This is especially true if a BCP gets written here. The problem
statement should be as specific as it can be about why it's hard
for receivers to overcome this problem. If there's a lot of
proprietary stuff that can't be talked about, then it's pretty
impossible to put together a BCP since we collectively have no
idea what those practices are.
I think this really goes to the heart of what's going on here.
Mike
Agreed there is a certain amount of hand waviness and things have to
be described abstractly as various black boxes in the system due to
their proprietary nature. But I think it is necessary to mention them
to motivate the deliverability aspect of the problem i.e. why it is
impacted, to provide some intuition for the problem space.
Similarly how DKIM replay impacts the utility of email to the end
users. I think we would agree that there is a preference for a
deterministic DKIM replay solution and avoid reputation systems where
possible.
I understand that Google is not going to tell us exactly how it makes
its filtering and reputation decisions, but that sort of begs the
question of whether we can know what is "best" or "common" given that we
don't know what is "not best" and "not common" out in the industry.
Obviously if we can observe behavior from the outside (eg, not signing
To: and Subject:) that's fair game. But a nebulous "lowers the
reputation" leaves us to just speculate as to what that means. That is
not a very good place to be in for a standards body.
I think that stake holders are going to have to come to some consensus
of what they will and won't share. That in turn will inform the wg what
it can and can't do. If the problem statement remains really vague, that
means the solution space is going to be further constrained.
Mike
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
