> -----Original Message----- > From: Jim Fenton [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 08, 2008 11:14 PM > To: Siegel, Ellen > Cc: [email protected] > Subject: Re: [ietf-dkim] Some concerns with SSP impact on very small > businesses > > Siegel, Ellen wrote: > > > > With SSP in play, once the ISP (e.g. yahoo.com) decides to publish an > > SSP record things start to go downhill. The above configuration will > > always trigger a lookup since the signature will never come from the ISP > > domain, and the Verifier will only look for the SSP policy in the From: > > address domain (yahoo.com). Since it's unlikely that any third party > > signature used by outsource.com on behalf of their customers (whether > > it's outsource.com directly, or unique signatures per-customer) will be > > included in the list of Verifier Acceptable Third Party signatures at a > > given Verifier, a record with either dkim=all or dkim=strict will cause > > the joesbikeshop email to be consistently labeled as suspicious even > > though it is authenticated and even though the address belongs to the > > author of the email. > > > > The premise here is that a consumer ISP such as yahoo.com is going > publish an 'all' or 'strict' SSP record. I am not aware of any consumer > ISP that, as part of its Terms of Use, requires its customers to send > outgoing mail through its mail servers. There might be some that have > this requirement in order to do more effective outbound spam filtering, > but I'm not aware of them. In the absence of such a requirement, it > would be improper for these ISPs to publish an 'all' or 'strict' SSP, as > that would be, in effect, imposing a restriction that wasn't there. > Customers sending mail using their personal addresses through their > company's mail infrastructure, or from a hotel that blocks port 25, > would have the same problem. > > Hopefully the consumer ISPs will recognize this. We need to make every > effort to make everyone know that publishing 'all' or (particularly) > 'strict' is not something that is done lightly. I know of tools that > are under development to help domain owners know from where mail from > their domains is being sent, and hopefully this will raise awareness > too. I expect that it will be a small but economically significant > proportion of domains that will ever be able to publish anything other > than 'unknown'.
I hope you're right, and encourage you to drive this point with the ISPs. It would also be interesting to get some direct feedback from them on this point- it would be useful to have some data. ISPs tend to have concerns with abusive use of their email addresses just as many other large brands do, so I would tend to expect them to push for at least dkim=all publication. If it is in fact reasonable to expect that ISPs will tend to stick to 'unknown', then the impact on these small senders should be relatively minor. Ellen _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
