On 10/4/10 11:00 AM, Jeff Macdonald wrote: > On Fri, Oct 1, 2010 at 5:40 PM, MH Michael Hammer (5304) > <[email protected]> wrote: > > To pick on you a little, if a domain owner uses your approach to > > authorize signing by an ESP1, what is the stable identifier we are > > talking about? Is it specific to this customer or is it shared > > across customers? Does the domain owner understand potential > > impacts on their reputation (assuming domain based reputation > > systems ever get off the ground in our lifetime)? > > We are advising our clients to create a sub-domain for DKIM > identifiers. Something they control. Something not tied to their > From:. For those that have multiple streams, we'd recommend creating > DKIM identifiers for each stream. Using DKIM as it was intended.
Only when signed by the same domain (Author Domain) matched exactly with the From email address domain can ADSP policy apply. Retaining customers when your domain is heavily phished means having non-complaint messages rejected becomes a greater concern. > What happens when the domain owner dumps ESP1 and goes to ESP2? Do > they lose whatever (We assume fantastic) reputation they had? Do they > go to square 1 or are they borrowing/renting reputation from ESP2? If > they are borrowing/renting reputation from ESP2, how do they know > that ESP2 isn't using their domains good reputation to help other not > so good senders at ESP2? Diluting the badness so to speak. This assumes reputation assignment ignores who registered the parent domain. > There are of course bad ways to implement things. Some ESPs use > shared IPs for new clients in order to meet the sending rates clients > ask for on day one. We do not have that strategy. Client's go through > a warming phase with IPs dedicated to them. With DKIM, they will > either come with their own identifier and be able to continue > business as usual or start with a new DKIM identifier. I'd advise > against using an e-Dialog DKIM identifier. This also ignores the ability of bad actors to send themselves signed messages they can then be redistribute because DKIM is not _required_ to capture the SMTP RCPT TO. Any expectation of such would cause many messages to be lost. > > I'm assuming this desire for 3rd party signing to have the same > > weight as 1st party signing is somehow related to deliverability > > and not abuse. > > Abusers can be 1st party signers. So I don't understand why there is > a distinction being made between 1st and 3rd party. The difference relates to compliance related with signing practices. With replay ability, DKIM is not easily leveraged as a basis for reputation. Reputation will likely need something developed along the lines of public keys or certificates offered by SMTP clients, because these services can track where messages are sent. Where messages are sent is often the basis for identifying what is abusive. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
