On Aug 5, 2006, at 10:02 PM, Hector Santos wrote:
Where did that come from anyway? "I sign all mail" That isn't in
SSP DRAFT,
in fact the SSP says for the o= tag:
SSP did not accommodate listing authoritative domains. Assume any
domain entered into the list indicates that it authoritatively signs
all messages for the From domain. Being within the list brings this
domain to the same level as that of the From domain.
The list can include subdomains or exclude parent domains. Being
within the list could be viewed as "All messages carried for the From
domain are authoritatively signed by domains within the list".
Making this list exclusive or closed would stipulate that no other
domains are used. To illustrate, a "." is used for "closed" and
example.com is the From domain. When undefined domains carry the
From domain (the list is not closed), the reputation of the source
acting on behalf of the From, rather than reliance upon a signature
is required, as in the case of a mailing list.
Updating the SSP to list notation would be as follows:
o= Outbound signing policy for the entity (plain-text; OPTIONAL,
default is "~"). Possible values are as follows:
~ The entity signs some but not all email.
Change to:
This domains and other domains that may sign are used:
DKIM-FP: <>
- All mail from the entity is signed; unsigned email MUST NOT be
accepted, but email signed with a Verifier Acceptable Third
Party Signature SHOULD be accepted.
Changed to:
All mail signed and other domains that may sign are used:
DKIM-FP: <*.example.com>
! All mail from the entity is signed; Third-Party signatures
SHOULD NOT be accepted
DKIM-FP: <*.example.com, .>
. This entity never sends email. The "." policy can be used to
"short circuit" searches from subdomains; for example, the
"ad.jp" domain might use this. If an initial policy search
receives this policy then the email SHOULD NOT be accepted; if
found while searching parent domains then the search should
terminate as though no policy record was found.
DKIM-FP: <.>
^ Repeat query at user level. This value MUST NOT be used in
user-level policy records. A Verifier MUST look up the
selector for "<user>._policy" where <user> is the local-part of
the Originator Address (i.e., the portion of the address before
the "@" character).
Deprecated.
With the list, other domains can be designated as being as
authoritative as the From domain.
Foo.com can sign for example.com might be used as follows:
Only example.com and foo.com sign all messages and no other domains
are used.
DKIM-FP: <example.com, foo.com, .>
Perhaps example.com never signs but foo.com does and mailing lists
are used:
DKIM-FP: <foo.com>
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
