On 8/17/09 10:00 PM, deiva shanmugam wrote: > Hi, > > Could someone let me know, is querying the policy record essential for > DKIM at verification side as DKIM is derived from Domainkeys? > > In RFC 4871, usage of policy record was not clearly mentioned. But in > section 6.3, the RFC says "when communicating with a peer who, by prior > agreement, agrees to only /send signed messages/" and in section 8.4, > RFC says "A second security issue related to the DNS revolves around the > increased DNS traffic as a consequence of fetching selector-based data > as well as /fetching signing domain policy/." So, i'm not sure whether > the policy record in DNS TXT record in _domainkey.<domain_name> need to > be queried for DKIM?
Some might view policy records as a means to offer advice in creating phished lists. These lists identify domains suffering from being spoofed, where such policy records grant permission to reject non-compliant messages. Some receivers might discard non-compliant messages, which of course could place messages forwarded through a mailing list at risk. These records are unlikely queried on a per message basis at some negative caching rate, as this would be needed for every email domain, and not just for those with a DKIM signature. Instead, a periodic sampling of DKIM domains or a third-party service could consolidate into a list the domains in need of stringent handling from those that have been seen using DKIM. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
