On Sep 11, 2006, at 8:04 AM, Thomas A. Fine wrote:
With SSP, I can only receive mail that looks ALMOST like it is from
one of my orgs. This is huge. This gives the user layer the
ability to quickly, accurately, and precisely differentiate between
fake and real messages. That's what SSP accomplishes.
When a strong email-address policy assertion that disrupts the use of
common services might block exact spoofs. SSP does not differentiate
"real" messages.
As far as what happens in the user layer, no specification can
control that. We can certainly predict that a significant number
of people will still fall for look-alike domains.
An association with a retrained email-address will curtail look-alike
attacks and clarify which messages are "real." For this, the signing
domain must offer an assurance that the email-address is valid as well.
But this is vastly different than people falling for the exact
valid email address they were expecting.
Deploying just this mechanism will likely provide a minor impact upon
the spoofing success rate. It may however have a major impact upon
the delivery rate of valid messages.
What are we here for if we aren't here to fix that?
To offer a comprehensive solution that offers genuine protection
without impairing email delivery.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
