[Asrg] where the message originated (was: DKIM role?) (SM)

[Dotzero]

On Mon, Jan 19, 2009 at 9:32 AM, Ian Eiloart <iane at sussex.ac.uk> wrote:
>
>
> --On 19 January 2009 09:07:16 -0500 Dotzero <dotzero at gmail.com> wrote:
>
>>
>> Ian,
>>
>> While I appreciate your ardent fervor in support of SPF and DKIM, it
>> would appear that your practical experience is somewhat limited. For
>> the domains I'm responsible for I've sent 700 million+ DKIM signed
>> messages and in excess of 1 billion messages since changing the SPF
>> records for these domains to end with -all.
>>
>> While I am supportive of both these approaches, I recognize that there
>> are specific ways that breakage occurs for otherwise legitimate mail.
>> There has been plenty of discussion on these issues on other lists
>> such as spf-discuss and ietf-dkim.
>
> Yes, I'm aware of the discussions. However, I'm also aware that email is
> already very broken in many ways. We seem to be stuck in a place where we
> can't move for fear of breaking something, even if the place we want to go
> would be so much better than where we are.
>

Note that I did not talk about breakage in general, I pointed out that
there are very specific ways in which mail breaks for each of these
approaches. I'm not speaking theoretically. As I pointed out, domains
I'm responsible for have sent a nontrivial amount of mail under both
of these approaches. Given that these domains have been heavily abused
we have accepted the tradeoff  between reduced abuse vs breakage of
otehrwise legitimate mail. This tradeoff may not make sense for other
domains. I reiterate, I am speaking as someone who as already
implemented.

>> Your analysis of whether and how domains should implement these
>> approaches is somewhat simplistic and as you point out above, you
>> don't even eat the dog food that you advocate others should.
>
> Yes, I think I said that I'm engaged in discussing an idea, rather than
> advocating it. Probably I've actually said both things.
>

Might I ask why you are not publishing SPF records that end in -all or
signing DKIM for all the email from your domains?

>> An exercise you might engage in.... what types of breakage occur when a
>> domain publishes -all at the end of their SPF record (Assuming that
>> receivers respect the published record and act accordingly)?
>
> That, I'm certainly not yet advocating. I'm suggesting that publication of
> records, even with "~all", is a huge step forward. It'll improve
> deliverability of properly submitted emails in domains that are able to
> maintain good reputation.

Why is ~all a huge step forward? What do you expect receivers to do
with mail from domains that make an assertion that translates to "I
don't really know where legitimate email purporting to be from my
domain eminates from"?

>That'll encourage deployment of proper MSA
> servers. It'll encourage deployment of MSA and DKIM compatible forwarding
> services, because they'll be more successful.

DKIM is not path based.

>Eventually, we'll end up in a
> place where more and more admins are happy to publish, and respect "-all"
> records.
>

You appear to beleive that DKIM is dependent on SPF.

> Heck, I might even suggest that the UK (just cos that's where I am) should
> legislate that financial services organisations (those regulated by the
> Financial Services Authority) MUST publish SPF records and sign their
> outgoing email.
>

I might suggest that you check with the mail and abuse folks at
financial organizations and ask what issues they are encountering.


>> What sorts of breakage occurs for messages from a domain assuming they
>
> were
>>
>> able to communicate that they sign all messages for a particular
>> domain?
>>
>> Just a few thoughts.
>> _______________________________________________
>> Asrg mailing list
>> Asrg at irtf.org
>> http://www.irtf.org/mailman/listinfo/asrg
>
>
>
> --
> Ian Eiloart
> IT Services, University of Sussex
> x3148
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
>