On Jun 24, 2010, at 8:21 AM, Michael Thomas wrote: > On 06/24/2010 07:49 AM, John Levine wrote: > Are you making the assumption that all third party lists would be equally >> credible? That's no more likely than all DNSBLs being equally credible. >> >> In both cases, the good ones will make sure their data is correct, >> maybe by backchannels to the underying providers (see the Spamhaus PBL >> for an example of that) or by some kind of feedback watching the mail >> they make assertions about. The bad ones won't do that, and won't be >> useful. (See any number of useless poorly run DNSBLs for an example >> of that.) > > Any service that doesn't have an *explicit* guarantee from the mail > domain itself that it signs all mail is worse than incompetent, > it's harmful. A third party can *never* prove the negative that the > domain in question doesn't have sources of unsigned mail that they > don't want discarded. The domain in question without a thourough > audit probably doesn't have a clue itself if it's even vaguely > largeish. > > So why does a domain that performs that painful audit and > remediation need to then tell John's drop list that it's OK to > drop unsigned mail? It doesn't. It can just publish an ADSP > record and be done with it. No need to count on some unreliable, > unaccountable point of failure to mediate their business.
The problem is that it's not possible to distinguish based solely on self-published data the domain that's done all that work, and actually understands the implications from the domain that's just published an ADSP record because they'd heard it was a good idea, with no understanding of the effect that would have on their email. Even paypal, who are one of the main forces driving ADSP, didn't think through the most basic implications, and caused a lot of legitimate email that was from their domains, yet not DKIM signed to be received. If recipient use of ADSP were widespread then that would have been a business failure rather than just an embarrassment. Given that, the odds that any given ADSP-discardable record is something that it makes operational sense to use is pretty low. And no competent mailbox operator will want to allow untrusted third parties to control the service they provide to their customers - delivery of email. A similar argument applies to third party lists, including those run by John, ReturnPath and Spamhaus, with the critical difference that each of those lists is a single entity, rather than the ADSP-discardable pseudo-list, which is run by as many different people as their are domains, so their accuracy can be tracked over time, and their data only used once it's demonstrated itself to be accurate enough to have operational benefits. Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
