Franck,
Let me clarify that if your system was checking the ADSP record and
"skipping" or avoid 3rd party signing of domains with
DKIM=DISCARD|ALL, then IMO, your system would be protocol consistent
and behaving correctly.
Blind resigning could cause problems, such as:
1) Receivers rejecting DKIM=DISCARD|ALL author domains with 3rd party
signatures.
2) Create negative reputation on the 3rd party signer for perpetuating
continued sending of 1st party ADSP failures.
3) Potentially create a membership removal for continued failure
at the recipient mail host by not accepting list signed
distributions.
To mitigate #3, receiver software SHOULD NOT issue a SMTP LEVEL
negative reply code (45z, 55z) and under ADSP failures, SHOULD
accept the message and silently DISCARD the message as allowed
by RFC 5321 and RFC 5617. This will resolve issue #3 and also
minimize back scattering.
#2 is still a risk for 3rd party signers if they ignore RFC 5617.
--
hector wrote:
>
> Franck Martin wrote:
>
>> I do not see where is the issue? I 3rd party sign emails and I have not
>> faced any problems with that (Am I missing something?) The providers
>> that check DKIM all include a dkim=pass in the mail headers.
>
> Franck,
>
> Thats because receivers have yet to support and honor RFC 5617 (ADSP).
> Once they do, your 3rd party signing of domains with ADSP
> DKIM=DISCARD|ALL are subject to mail rejection/discard at receivers.
>
> RFC 5617 says:
>
> all All mail from the domain is signed with an Author
> Domain Signature.
>
> discardable
> All mail from the domain is signed with an
> Author Domain Signature. Furthermore, if a
> message arrives without a valid Author Domain
> Signature due to modification in transit,
> submission via a path without access to a
> signing key, or any other reason, the domain
> encourages the recipient(s) to discard it.
>
> What Bill is referring to is the "3rd party Policies" that was part of
> the original SSP specification but pulled for ADSP.
>
> SSP include a "concept" that allowed 3rd party signatures, however, the
> complexity was how do we control (authorize) the 3rd party signer.
>
> In other words, how to we tell the world that 1st party domain
> "santronics.com" allows 3rd party signer domain "genuis.com" to sign
> mail on the behalf of santronics.com.
>
> The proposals were to provide a LIST "somwhere" like in the POLICY
> record. The draft DSAP proposal offered this feature. The issue with
> that is how big can that list be.
>
> --
> HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
