Jim Fenton wrote:
Hector Santos wrote:
With a signature existing, you will always need to check the SSP in order to
check for a "Never Sign" or "We don't send mail from domain. Its Forged"
expectation.
So you always need to check for SSP first.
So you mean "with a valid signature existing?" If so, isn't that a
contradiction in the published information, so why should I assume SSP
is right?
Especially when you consider that would be a big fat juicy target
for a would-be DOS attacker: spoof SSP "i don't send email" policy
and now all of the sudden legitimately signed mail looks extremely
suspicious.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
