> So my view of the service being discussed here isn't one where some > guy in upstate NY claims to have full knowledge of which domains > DKIM-sign all their outbound email. Rather, it's a service where the > manager of the service uses claims made by the sender about whether > they sign all of their email and then only lists those domains that > know what their doing.
Why not have a negative service then? John's list can refute an ADSP of "at risk" domains by including a link of an exemplar unsigned email (ironically provable via SPF if necessary...) Sortof assume ADSP competence until shown otherwise rather than assumed incompetent until judged otherwise? That list would then be quite valuable as a way of letting such domains know that they are vulnerable *and* where their leak is. dig paypal.com._whatever... txt atRisk=y; claimsADSPAll=y; counterExample=http://.... Conceivably "at risk" domains would first submit themselves to such a service and ask it to discover and publish (and/or feedback) counter examples. Since all you need is one counter example, getting 20 or 30 large, trusted mail providers to participate in identifying such emails and domains should be able to know pretty quickly when something has gone awry with their IT audit. John's list then simply becomes a focal point of discovery rather than a judgment call. Mark. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
