[Asrg] where the message originated (was: DKIM role?) (SM)

[Dotzero]

On Mon, Jan 19, 2009 at 6:55 AM, Ian Eiloart <iane at sussex.ac.uk> wrote:
>
>
> --On 16 January 2009 10:00:17 -0800 SM <sm at resistor.net> wrote:
>
>> At 03:45 16-01-2009, Ian Eiloart wrote:
>>>
>>> Now, what I'm suggesting (not advocating yet, because I'm not
>>> certain that this is right), is that when there's no SPF record
>>> published, that we should not feel too bad about bouncing email
>>> because the domain administrator isn't taking adequate steps to
>>> protect the domain against spam blowback, and against phishing. Of
>>> course, I'm NOT suggesting that lack of an SPF record should score
>>> very high in any any spamicity measure, but it might count for something.
>>
>> What does SPF have to do with phishing?
>
> Er, a lot. Would you rather bank with an organisation that published SPF
> records, or not? I know I would.
>
> I'd also like an email client that tells me when the From: header domain
> doesn't match the return-path domain.
>
>>
>> I prefer to take adequate steps to prevent "invalid" bounces.  It helps
>> me if the postmaster takes adequate steps for me to determine what is
>> valid.  Some people do not use SPF due to its restrictions on email usage.
>>
>>> Now, an SPF or DKIM match gives us the huge gain that we can bounce
>>> messages selectively based on the content. Some recipients may not
>>> want certain message content, but by the
>>
>> DKIM-signed messages coming through this mailing list cannot be verified.
>>
>> Regards,
>> -sm
>> _______________________________________________
>> Asrg mailing list
>> Asrg at irtf.org
>> http://www.irtf.org/mailman/listinfo/asrg
>
>
>
> --
> Ian Eiloart
> IT Services, University of Sussex
> x3148

Ian,

While I appreciate your ardent fervor in support of SPF and DKIM, it
would appear that your practical experience is somewhat limited. For
the domains I'm responsible for I've sent 700 million+ DKIM signed
messages and in excess of 1 billion messages since changing the SPF
records for these domains to end with -all.

While I am supportive of both these approaches, I recognize that there
are specific ways that breakage occurs for otherwise legitimate mail.
There has been plenty of discussion on these issues on other lists
such as spf-discuss and ietf-dkim.

Your analysis of whether and how domains should implement these
approaches is somewhat simplistic and as you point out above, you
don't even eat the dog food that you advocate others should. An
exercise you might engage in.... what types of breakage occur when a
domain publishes -all at the end of their SPF record (Assuming that
receivers respect the published record and act accordingly)? What
sorts of breakage occurs for messages from a domain assuming they were
able to communicate that they sign all messages for a particular
domain?

Just a few thoughts.