Hi, Thanks Doug for the clarification.
So, eventhough the DKIM RFC explicitly doesn't mention the use of policy record in the verification side, still we should query for the policy record. Thanks, Deiva Shanmugam On Tue, Aug 18, 2009 at 12:14 PM, Doug Otis <[email protected]> wrote: > On 8/17/09 10:00 PM, deiva shanmugam wrote: > >> Hi, >> >> Could someone let me know, is querying the policy record essential for >> DKIM at verification side as DKIM is derived from Domainkeys? >> >> In RFC 4871, usage of policy record was not clearly mentioned. But in >> section 6.3, the RFC says "when communicating with a peer who, by prior >> agreement, agrees to only /send signed messages/" and in section 8.4, >> RFC says "A second security issue related to the DNS revolves around the >> increased DNS traffic as a consequence of fetching selector-based data >> as well as /fetching signing domain policy/." So, i'm not sure whether >> the policy record in DNS TXT record in _domainkey.<domain_name> need to >> be queried for DKIM? >> > > Some might view policy records as a means to offer advice in creating > phished lists. These lists identify domains suffering from being spoofed, > where such policy records grant permission to reject non-compliant messages. > Some receivers might discard non-compliant messages, which of course could > place messages forwarded through a mailing list at risk. > > These records are unlikely queried on a per message basis at some negative > caching rate, as this would be needed for every email domain, and not just > for those with a DKIM signature. Instead, a periodic sampling of DKIM > domains or a third-party service could consolidate into a list the domains > in need of stringent handling from those that have been seen using DKIM. > > -Doug > > >
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
