Kai, > Mark Martinec wrote on Tue, 7 Aug 2007 10:22:22 +0200: > > Domains which choose a default policy are not required to publish > > a policy (or SSP) record. Penalizing them for choosing not > > to explicitly publish what is a default anyway, would be unjust.
> I think that's not the point. > The point is to distinguish between using DomainKeys > and not using DomainKeys. Right. And the only two things that matter here are (not going into third-party signing difficulties here): - either a mail carries a VALID signature from the sender (in which case his reputation may be taken into account), - or else, the published policy indicates the sending domain is signing ALL mail (in which case we know a message is fake). Any other combination is equivalent to a classical mail situation. Not being so offers a free gift to spammers, e.g. making a distinction between an invalid and absent signature (a spammer just inserts some junk signature), or making a distinction between explicit neutral and implicit (defaulted) policy (a spammer just fakes any sending domain which has a signing policy that suits him). > At the moment a domain that doesn't > use domainkeys is looked at as having default policy "may sign some". > Frankly, I find this whole portion in the RFC badly flawed. It's an > implicit opt-in which is considered bad in other circumstances (you know > what I mean ...). I consider it bad here, too. The default falls back to a classical non-signed mail situation. Mark
