On 10/29/09 6:45 AM, Dave CROCKER wrote: > Rolf E. Sonneveld wrote: >>> ... if they can do so, you accept the entire email. >>> >>> In either case you accept the entire email, >> >> Not necessarily. Many if not most Edge ADMD MTA's perform all sorts >> of actions after the MAIL FROM phase and before the DATA phase. >> Think of greylisting, call back verification, use of RHSBL, use of >> local BL and WL's, etc. etc.
If DKIM is to provide acceptance value, so should authorizations of a DKIM signer. When a Mail From domain authorizes a different DKIM domain signing the message, this could serve as a basis for acceptance of the message. Conceivably, this could be done prior to acceptance of the entire message. After all, authorization can be checked within a single DNS transaction during validation. Perhaps knowing the Mail From domain had authorized the signing domain might grant acceptance prior to validation, but this could lead to an excessive number of DSNs whenever the authorized signature proves to be invalid subsequent to acceptance. The TPA-Label scheme even allows selective assertion of signing practices that could target a message signer being spoofed. > I was just at a session at an industry trade association where the > question of doing DKIM during SMTP came up. There were operations > folk who very much liked the idea of being able to obtain some DKIM > benefit during the SMTP session, before the dot... > > No one suggested modifying SMTP or DKIM specifications. > > What /was/ discussed was the possibility of doing a signature that > would validate before DATA. This merely requires a signature that > does not cover the body. DKIM has split out the body hash from that of the header fields, but that only permits hashing the message body later. Not much saved there. > I can't say that anyone sounded hugely enthusiastic about this, but > given that there was interest in SMTP-time benefit, I think they just > needed to think about this more. In for a penny, in for a pound. As the prior paragraph suggested, the current DKIM signature can provide this feature whenever signature validation is done prior to acceptance and the Mail From domain has offered authorization. It seems holding acceptance until DKIM validation might require hardware assist. Hardware assist is not expensive, and could be limited to trusted sources. Here again, the TPA-Label approach could play a role in the selection. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
