--On 13 October 2009 23:07:58 +0000 John Levine <[email protected]> wrote:
> This is really much simpler than you're making it out to be. > >> I understand the issue here, but part of the point of DKIM/ADSP is to >> allow automated systems to assign reputation to an email domain or >> email address - a byte string. > > For DKIM, that's basically right, it ties a domain to a mail stream so > receivers can assign a reputation to the mail stream. For ADSP that's > completely wrong, all it does is allow senders to make assertions that > receivers may or may not find credible or useful, but that have > nothing at all to do with managing the mail stream's reputation. > (Remember that ADSP only applies to mail not in the signed mail > stream.) OK. What ADSP adds is the ability to assign reputation to a specific email claiming to originate from a specific domain. Except for "unknown". >> It might be nice if paypal could publish in the DNS a set of related >> domains, that it is willing to share the reputation of paypay.com > > Why would they do that? For brand reputation protection - you've cut the relevant quote that I was responding to. It's not really a DKIM issue, but if I get email from paypal.co.uk, then how do I determine whether that email is from paypal? Nothing in the paypal.com ADSP records tells me anything about that domain. I don't know whether to expect email from it. The absence of DKIM and ADSP records tells me nothing. My idea is that a company might publish an exhaustive list of domains that they use, so that I can automatically detect domains that may be attempts to defraud recipients. I'd probably only apply this to high value domains, but the algorithm would look like this: "if the domain is similar to, but different from PAYPAL.COM, then bump up the spamassassin score". After all, that's what we hope that users will be doing when reading messages. > Remember that DKIM is not SPF nor Sender-ID, > and you can put your domain's signature on any mail you send. Paypal > signs their mail with paypal.com. If I send you a Paypal payment, > they will send you a mail with my return address announcing the > payment. That message is signed with d=paypal.com because Paypal > takes responsibility. (They really do this, I just tried it.) They use a third party return-path? Presumably not, with the implications for domains that publish spf -all records. Or you mean some message header? The From: header? That would have ADSP implications. >> Positive reputation could flow from paypal.com to the shared domains, >> and negative reputation in the reverse direction. > > Positive reputation flows from paypal.com to the mail they sign. If you > think they need a lot of signing domains, you're misunderstanding the > way that DKIM works. Actually, that isn't something that occurred to me, but it's useful to know. > R's, > John -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
