----- Original Message ----- From: "Douglas Otis" <[EMAIL PROTECTED]> To: "Hector Santos" <[EMAIL PROTECTED]>
> In my view, DKIM is essentially protecting the email message transport > system. But its not. It is protecting the domain. I can test everything about DKIM outside a transport system. I don't need SMTP to work it. It has nothing to do with 2821 parameters and I believe the closet property to a 2821 parameter is if a 2822.Sender header is included in the signature. > > The chart offers a theoretical 69% (25/36) hard results with zero > > false positive ACCEPT/REJECT conditions. It has 31% (11/36) states > > where there is insufficient data to make a hard decision. However, in > > these cases, there is nothing to prevent a system or implementation to > > augment a pattern recognition learning concept of repeated failures. > > Sorry, but this is wrong. You are making rules that brand legitimate > email as bad to claim the scheme works. This scheme does not actually > stop abuse, but instead exposes email-address domains to unfair > reputation. The ones that may benefit would be the mega-domains that > are less likely to be unfairly treated. How else can it be stated? The SSP Chart is simply reflecting the boundary conditions for the model. Sure enough, some policies are too restrictive for some 3rd party services. Sure enough, some policies are very desirable by some domains. If I instituted an exclusive policy for santronics.com, I would be tickled pink if a wide adoption of DKIM ready systems would begin to pre-empt the malicious abuse and spoofing our domain on other MSA or MDAs. If this was to become a reality, I would immediately STOP using santronics.com for my public roaming participating in various mailing list. I would use a more relaxed policy, not as safe, but that is par for the course when you choose to hang out in public land. I'm sure a e-Commence business or bank or other high-value domains, who want to send exclusive important email to thier customers would desire the same level of protection. You say, this doesn't address certain kinds of social engineering phishing mail. I agreed. But I also disagree your solution will prevent it as well and I believe your solution might even make the problem worst because you do lack a policy verification concept. You raised the bar for compliancy, yet, you are willing to accept broken compliancy are an acceptable form of doing business. That doesn't make sense. Why bother than? Bad Actors will be licking their cops if they see us reach this level of relaxed conclusion with DKIM. They will use DKIM as a way to squeeze thru the cracks because your IDEA allows them in the door. A reputation system might help alleviate some of the problem, but I doubt it, even then, it is a separate concept that can be used independent of DKIM. _______________________________________________ ietf-dkim mailing list http://dkim.org
