Sorry Stephen, I'll try to be clearer. When stepping back, perhaps
one should also question whether a policy record is the best solution.
A Policy that can indicate only a solitary state of the 2822.From
being within the signing-domain will be problematic. There are
legitimate causes for a once compliant message to later become non-
compliant. When policy can only reflect adoption of this solitary
provision, non-compliant messages are more likely rejected or placed
into the never read spam folder. The prevalence of delivery related
problems may lead to a general assumption that this policy is only
suitable for dire situations, such as being the subject of a phishing
attack. This solitary state therefore represents a significant step-
function in non-complaint messages being acceptable, to not being
acceptable. This step-function is also likely to become steeper or
more severe over time.
When a solitary state policy ends up providing benefit to an
extremely narrow scope of domains, the overhead searching label-trees
for a policy intent on blocking non-compliant messages may actually
discourage its adoption. There is little incentive to publish a
policy that does not alter the assumed default. Look-alike domains
being able to thwart even the most severe handling based upon this
policy. This raises the general question whether all emails should
invoke a search for a narrowly applicable policy found somewhere in
the DNS hierarchy. It would be better to adopt a solution that
limits the number of queries to one. In addition, it would be better
to adopt a solution that also thwarts look-alike exploits.
There are two possible solutions:
- A repository of domain names that desire the severe
handling of non-complaint messages.
- An annotation scheme based upon the presences of the
2822.From address being found in the Address book.
Both of these strategies can be done in parallel. Neither scheme
requires a DKIM specific policy. The only essential element needed
to secure annotations based upon 2822.From address would be for
signature semantics to clearly indicate whether the signing domain
assures the validity of this address.
The repository of domain names could be a zone dedicated to this use
under the DKIM.ORG zone, for example. This zone could return a
record indicating that the domain being queried has requested the
severe handling of non-compliant messages, or whether this domain has
been used in criminal fraud as reported by various enforcement agencies.
Both of these solutions do not need policy, and both can thwart a
look-alike attack.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
