On Mar 17, 2008, at 5:59 PM, Hector Santos wrote: > Douglas Otis wrote: >> >> While MX and A records are used to discover inbound SMTP servers, >> they can also play a role in determining whether the domain might >> also be publishing DKIM related policy. > > The technical reality today is such that all mail responding > software are required to follow the RFC based mail system rules for > responding to an originating address: > > Use Reply-To: field. if not available, fall back to From:
DKIM permits reliance on the signing domain. Although DKIM policy is not directly related to SMTP operations, a domain publishing SMTP discovery records confirms the validity of the From domain, whose policy is in question. Discovery records can be used to ascertain whether policy should be expected, and conversely permit presence of a policy record in the absence of MX records to disavow public use of the domain. In addition, this disavowal is determined without dependence upon record content. A receiver must invest a fair amount of resources to determine DKIM signature validity. Confirming validity of the domain prior to cryptographic processing offers both receivers and parent domains added protections. Of course, private relationships between transmitter and receiver alleviates the need to confirm the originating domain's validity and even permits use of other transports. However, DKIM ADSP policy records should only pertain to messages publicly delivered to SMTP related destinations. While other protocols might be converted to SMTP, DKIM policy may interfere with their acceptance. > In other words, in practice, the only thing that is required for a > valid response is that Reply-To works, if any and if not, then use > From: > > So unless the Reply-To: header is taken into account in the "Total > DKIM+POLICY Solution", it really is not addressing the entire issue. > > This is also one area I believe SENDER-ID fails with its protocol > theme of depending on some PRA that does not take into account the > Reply-To address. Sender-ID attempts to relate PRAs with IP addresses of all SMTP clients that might be used. This relationship depends upon heuristics that, in some cases, conflicts with established practices and standards. The goal of DKIM is to retain validity of the signing domain in concert with established practices and standards. Mailing lists that alter message content are not exceptions, but do represent cases where policy gains importance. In this case, your concern regarding the change made in definitions for "strict" is justified, IMHO. > Think about it: > > Assume a message gets to a user and it passes all the CBV, RBL, SPF, > SENDER-ID, DKIM, ASP POLICY tests or at least they don't raise any > red-flag, if the Reply-To field is bogus, then it may be all for > nothing. The user may be hosed. As you have noted, a DKIM signature is able to block the use of the Reply-To field. As trust moves to the DKIM signing domain, the domain should not employ length parameters or leave critical header fields open. To deal with mailing lists, the TPA-SSP draft will be updated with a utility that generates third-party authorization labels. IMHO, third-party authorization scales far more economically and offers a much safer solution for mailing lists and third-party providers. The authorization scheme is transparent to most users, however who signed the message remains easily determined. Authorization places fewer eggs in the same basket. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
