Suresh Ramasubramanian wrote:
> On Sun, Mar 8, 2009 at 8:58 PM, MH Michael Hammer (5304) <[email protected]>
> wrote:
>> Suresh, notwithstanding what some vendors might wish in terms of
>> reputation, the case for ADSP is and always has been to leverage DKIM to
>> be able to say "this domain signs all mail" in one way or another.
>
> That seems like an overly complex, rube goldbergish way to indicate
> it. More like developing spf, with your sole reason being to publish
> "v=spf1 -all" indicating that a domain never sends email.
>
> And it is still not something I would trust without confirmation and
> verification out of band (this, having noticed more than one wrong spf
> declaration that if we'd bothered to check on in our mailserver, would
> have resulted in lost mail)
>
> Further, at least from my perspective, it is not something I would
> bother to check for all but a few significant domains.
Suresh,
Opinions vary.
This would be your [local] policy, your implementation, your
operation. You nor I can't speak for others, but I hope the goal here
is to provide the standard protocol tools for vendors/implementators
to provide to their customers and operators to allow them to decide.
Here's the irony:
You just defined your own "POLICY" table - a list of significant
domains to check.
So you have your own localized table for "ADSP" lookup considerations.
I would classify this as a non-anonymous operation.
Thats hasn't been the real problem IMO. The problem is the anonymous,
the unsolicited, the other good/bad sites of the "significant" world
that may not be part of some special white/black table. If anonymous
operations was not allowed, every sender was required to authenticate,
then we probably won't be here today. But that isn't realistic to
have a close system across the board. Open SMTP is still valid for
communications.
I would agree with you that valid signatures still require help in the
area of positive reputations. But IMO, failure detection provided
with DKIM+POLICY is where you don't really need reputation.
Just consider reputation is already widely in practice in many forms.
Many believe that good signatures will not trump a bad rap and vice
a versa, bad signatures will not trump a good rap. So whats the rule
here? Does reputation trump DKIM/POLICY? Is it don't by weights? Or
some does certified trusted service govern who is good or bad?
How many times does a ADSP domain have to tell a receiver that failed
signatures or no signatures should be discarded per their ADSP? 1, 2,
5, 10 times? Why would a receiver continue to endure the overhead
when the DOMAIN with a ADSP record is tell the receiver
"Dude, do yourself a favor. Its not our mail.
I suggest you get rid of it. No need to build up
a score or pass the junk to users, and please do
not bounce it to us!"
Reputation is still open-ended. No real rules to it other than the
traditional scale/weight concepts. No standard so unless you a
promoting a single entity, a centralize service everyone can use (and
must/should use to gain any real benefit if that is what you believe),
at best, all we can do is define what is the "feed" to these
futuristic services.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
