[Asrg] DKIM role?

[Ian Eiloart]

--On 8 January 2009 12:10:23 -0800 Douglas Otis <dotis at mail-abuse.org> 
wrote:

>
> On Jan 5, 2009, at 7:22 AM, Ian Eiloart wrote:
>> --On 22 November 2008 08:43:21 -0500 Rich Kulawiec <rsk at gsp.org>
>> wrote:
>>
>>> On Thu, Nov 20, 2008 at 02:33:51PM +0000, Ian Eiloart wrote:
>>>> The only thing that matters is that you can reach the system
>>>> administrator for the domain that sent the email.  Then you can
>>>> assign reputation to the domain, and even to the email address used.
>>>
>>> But you can do that today -- well, by IP address, at least, which
>>> is (as we've seen from the use of DNSBLs) nearly always good enough
>>> to make accept/deny decisions WRT email.
>>
>> But that's not good enough. In fact it's crap. If I want to
>> whitelist an organisation, I can't do it because there's no
>> principled way in which I can know what IP address they're using to
>> send email. I need to be able to whitelist the domain. As long as
>> there's nothing to stop people spoofing the domain,
>
> There are methods that can be used to limit risks related to whitelisting
> domains.  Often these involve capturing prior conversations and noting
> where the message originated.  The locations might then be expanded to
> CIDRs, routes, or acquired address lists.

"Greylisting"? Or something similar. Well, perhaps, but it seems 
complicated compared with SPF. I don't understand why there are banks that 
don't publish SPF records, for example. And, I'd like to be able to 
whitelist all .ac.uk domains when there's an SPF or DKIM match. Why? Well, 
I know that the domains are hard to register, that they have a relationship 
with my organisation, and as a rule I'll be able to contact a competent 
administrator if something goes wrong.

The advantage of DKIM and SPF, of course, is that I don't have to guess 
about anything technical - like which IP addresses belong to a domain.

....

-- 
Ian Eiloart
IT Services, University of Sussex
x3148