Re: Domainkeys and ISPs
On Wed, Mar 12, 2008 at 06:08:52PM +0800, Thomas Goirand wrote:
> Michael Sprague wrote:
> > Since I'm new to the domainkeys thing, I'm not sure what is considered
> > okay or not. For example, I could sign every piece of email that leaves
> > our outgoing server. It seems pretty easy to do in exim4 by setting
> > $dk_domain to whatever I want in the router. But is that considered
> > uncool? Do other ISPs sign ALL messages to help deal with Yahoo?
> In the DEBIAN.Readme my colleague wrote some comments on how to use it.
> And indeed, it does sign all outgoing email.
> I hope that helps,
Thanks for the info on dkimproxy, Thomas. I'll definitely check it out.
But I'm curious on how people feel, in general, about signing every
outgoing message. I can see why some may consider that a Bad Thing(tm).
I think forwards are the best example.
If we host email@example.com and that user forwards their email to
firstname.lastname@example.org, should we sign those forwarded messages? I see 2 potential
problems with that.
First, let's say email@example.com sends a message to
firstname.lastname@example.org and we forward it to email@example.com. If we sign that
message could/should legit.com get mad at us?
Second, let's say firstname.lastname@example.org sends a message to
email@example.com and it gets by our spam filtering. We forward to
firstname.lastname@example.org. If we sign it, are we helping spammer.com in any way?
The purpose of DK (from http://www.ietf.org/rfc/rfc4870.txt) is
prove the "provenance and contents of an email" by digitally signing
email on a per-domain basis. The claimed ultimate goal is "to
unequivocally prove and protect identity".
I guess my question is, by signing messages for domains one doesn't
control or manage, is one violating the spirit of DK and/or DKIM?
Michael F. Sprague | email@example.com
http://www.saneinc.net | System and Network Engineering (SaNE), Inc
Providers of the SpamOnion anti-spam service