On Thu, 2006-11-23 at 21:18 -0500, Hector Santos wrote: > > DKIM will never be effective at blocking spam. Spoofing can only be > > stopped by comparisons with lists established by recipients, such as > > utilizing their address-book. > > I totally disagree and I don't see that is required for us to consider > implementing DKIM into our system. A MUA is not required to protect a > DOMAIN who has published an SSP with its policy define telling a > RECEIVER what is expected and not expected.
What is meant by an "all From email-addresses are signed" policy assertion? Does this mean "Reject or drop messages sent to a mailing-list."? If so, what percentage of domains wish to make this assertion? How are EAI headers protected? What must recipients see before an assertion of signature expectation offers effective protections for either recipients or the email-address domain owners? This question is largely pointless. There is no way to know what recipients can see. If the recipient sees a display name or the UTF-8 version of the From header, what protection is provided by an assertion applying to different domain? None. Many phishing attempts already utilize altered email-addresses. Look-alike or cousin domain attempts are unaffected by assertions of what is signed. Annotations based upon signed messages also found in the recipient's address-book thwarts these various phishing attempts. Protection is obtained without recipients needing to take out their magnifying glass or make often fruitless queries. At what point does it become clear self authorization schemes are pointless in both excessive traffic and easily defeated protections. Causing phishing attempts to be unsuccessful is the best way to quell this traffic. On the other hand, an authorization scheme will likely improve phishing success rates. It is possible for plug-ins to be implemented with existing MUAs. It is being done now, so the MTA vendor don't need to change what they are doing. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
