[Asrg] where the message originated

[Steve Atkins]

On Jan 12, 2009, at 4:44 AM, Alessandro Vesely wrote:

> John Levine wrote:
>>> However, anyone can write "Gordon Peterson <gep2 at terabites.com>" on
>>> that box's return address field. Do we really want that to be  
>>> signed?
>> Signed by KioskCo?  Of course.
>
> Hm.. I'm not much into DKIM. It technically allows to sign false  
> identities, but doesn't (or shouldn't) it semantically imply that  
> the signers must have some (possibly small but still positive)  
> degree of trust that what they sign is correct?

No. The signature only means that the message you received was the one  
signed by the signing identity.

> In that case the question is whether KioskCo would really want to  
> sign that, and publish their slyness in their policy.
>
>> My point was that if all of KisokCo's kiosks apply the same  
>> signature,
>> that will be a large enough mailstream that recipients can form an
>> opinion of how good it is, even though the stream from each  
>> individual
>> kiosk would be too small.
>
> Although a critical mass is a common requirement of most anti-spam  
> measures, requiring some kind of threshold for each single sender is  
> more of a weakness.

Any mail system that only allows mail to be sent one at a time, and  
requires that the mail be hand-typed (rather than stored in a  
signature or pasted in) and which charges for the service via a credit  
card is going to be a negligible source of abusive email.

KioskCo is definitely going to want to sign the outbound mail with  
their identity, as that identity is unlikely to get a bad reputation  
and will likely get a good reputation over time.

Worst case, DKIM signing the mail will have no effect. More likely it  
will have some positive effect at some recipients. It's a nice example  
of why DKIM signing even low volume sources of mail can be a good  
idea, if they have the resources to actually do the signing.

Cheers,
   Steve