On Jun 24, 2010, at 8:45 AM, Martijn Grooten wrote: >> So why does a domain that performs that painful audit and >> remediation need to then tell John's drop list that it's OK to >> drop unsigned mail? It doesn't. It can just publish an ADSP >> record and be done with it. No need to count on some unreliable, >> unaccountable point of failure to mediate their business. > > What if it publishes an ADSP record but doesn't understand the implications? > Because, for instance, they send a lot of email to mailing lists. Or because > to some emails, an MTA adds some blurb to the body after the DKIM signature > has been computed. Or because they forget that in some (rare) cases they do > not sign their email. (The latter happened to GMail who, without having > published an ADSP record, had said that all of their email was DKIM-signed. > Some of it wasn't. At least one commercial spam filter used GMail's claim to > block unsigned email coming from GMail.) > > So my view of the service being discussed here isn't one where some guy in > upstate NY claims to have full knowledge of which domains DKIM-sign all their > outbound email. Rather, it's a service where the manager of the service uses > claims made by the sender about whether they sign all of their email and then > only lists those domains that know what their doing.
Maybe we need an ADSP flag that says "I think I sign all my outbound mail, and if a trusted third party vouches that I'm not entirely clueless about DKIM then you should trust them and treat this as "dkim=discardable", but otherwise don't pay too much attention to this and treat it as "dkim=unknown"". Or maybe that's what "dkim=all" already means. Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
