If I understand this right, a local domain that relays thru my 3rd party MTA may have its own signing policy. I then sign as 3rd party, an ssp lookup on example.com sees the third party only policy and also a foo.example.com shows a relaxed signing policy. Both sigs decrypt as valid. That is a good receiver policy indicator. Thanks,
Bill Oxley Messaging Engineer Cox Communications, Inc. Alpharetta GA 404-847-6397 [EMAIL PROTECTED] -----Original Message----- From: Hector Santos [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 01, 2006 10:48 PM To: Oxley, Bill (CCI-Atlanta); [email protected] Subject: Re: [ietf-dkim] A few SSP axioms ----- Original Message ----- From: <[EMAIL PROTECTED]> > All, > > As an ISP there are 2 things I will require to implement SSP or another > DKIM policy methodology > > A. I only sign 3rd party > > B. I sign exclusively any other sigs make mine broken > > There can be other policies but I require those two and am > wondering why there seems to be a tremendous pushback on this. +1. I do have these points though: For the "A. I only sign 3rd party" policy: In the SSP draft, there is no semantics for this type of 3rd party policy. The DSAP draft, provides all policy types, including this one: OP=NEVER; 3P=ALWAYS However, and this probably needs you to confirm what you mean depending if your ISP business is hosting local domains, are you going to allow other locally hosted domains signed mail as well? If so, then it would seem to me that your operations policy will dictate that your hosted local domains would have to define an OP=ALWAYS policy with thier own DSAP record. For example, you are hosting ABC.COM for us, based on your operation always signing outbound mail, if I wanted to always signed mail with Doug's new MUA DKIM plug-ins, then I would have to create (or you create) a DSAP policy of: OP=ALWAYS; 3P=ALWAYS; But in general, because you always sign the outbound mail regardless of the hosted domain policy, you would have to instruct/setup your customers to have one of the following: OP=NEVER; 3P=ALWAYS; OP=ALWAYS; 3P=ALWAYS; OP=OPTIONAL; 3P=ALWAYS; The DKIM-DSAP verifier will honor all these conditions. Make sense? -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
