On Aug 3, 2006, at 12:45 PM, John L wrote:
"I sign all mail" ...
As I've said before, there are really two different subclasses of
this one. You can have your mail very well under control, but you
don't have control over what the damage might be in transit. For
some people like banks and phishing targets, that collateral
damage is likely to be acceptable. For most everybody else it's not.
So I guess it just intrinsically bugs me that the former is a
pretty rarified class of sender, and is SSP really _only_ for
them? (leaving I send no mail aside). Is there little or no value
in knowing that you sign everything, but transit related damage is
possible?
We have to keep in mind that the recipient is interpreting this
stuff, and it's up to the recipient to decide what risk they are
willing to accept. Transit damage is always possible, so I don't
see any value in pointing that out. As a receiver, I find a hint
that unsigned mail from you is probably bogus to be useful. Your
own opinion of the value of that mail is not.
A method to indicate whether other services might be employed that do
not retain the integrity of the signature and then do not sign or
sign with a non-designated domain, or originate the message and then
do not sign or sign using a non-designated domain would be helpful.
Those with heavily phished domains may be willing to forego these
related services that are producing such results. A stipulation
indicating such abstinence would be useful to the recipient.
I also don't see "I sign everything" as limited to large
companies. My lawyer is part of a small firm with their own mail
server on a leased line. I expect they have enough sense to tell
people that if they want to send mail from home or on the road, use
the company's web mail. They'd be a perfectly good candidate for
"I sign everything", and I don't think they're at all atypical.
When DKIM signing is offered by large ESPs, it would be in their
interest to take the steps to securely authenticate and verify
reception of the From address prior to use. This extra effort would
allow autonomous management of the email-address domain's
relationship with that of this provider. Those DKIM providers taking
the extra step of confirming reception should attract more users and
gain greater delivery acceptance. This would also expand DKIM's
coverage of From email-addresses at a faster rate.
The administrator for a law office could make a policy assertion that
their "DKIM-SAFE" provider is a designated signing domain. This
would permit their staff to make use of this provider. The law
office would then be relieved from setting up outbound services or
making complex arrangements. A requirement that the From domain
matches the signing domain could be supplanted by a policy statement
that lists the "DKIM-SAFE" provider as a designated signing domain.
There would be no need to arrange zone delegations, or exchange
selector and key information on a regular basis for this to work. A
designated signing domain that authenticates and confirms reception
of the From email-address should be adequate. This would be in lieu
of separately establishing DKIM signing or the outbound provider
selecting prearranged key/domain combinations to enforce From/signing
domain alignment.
As far as reputation is concerned, there is safety in numbers. DKIM
done the right way should also reduce abusive traffic. Unusual
confirmation activity could warn that someone may be attempting to
abuse their service. Clean-up could be expunging the offending
confirmed email-address and recommending a scrub to the user owning
the account.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
