[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Domainkeys and ISPs

On Wed, Mar 12, 2008 at 06:08:52PM +0800, Thomas Goirand wrote:
> Michael Sprague wrote:
> > Since I'm new to the domainkeys thing, I'm not sure what is considered
> > okay or not.  For example, I could sign every piece of email that leaves
> > our outgoing server.  It seems pretty easy to do in exim4 by setting
> > $dk_domain to whatever I want in the router.  But is that considered
> > uncool?  Do other ISPs sign ALL messages to help deal with Yahoo?
> In the DEBIAN.Readme my colleague wrote some comments on how to use it.
> And indeed, it does sign all outgoing email.
> I hope that helps,

Thanks for the info on dkimproxy, Thomas.  I'll definitely check it out.

But I'm curious on how people feel, in general, about signing every
outgoing message.  I can see why some may consider that a Bad Thing(tm).
I think forwards are the best example.

If we host user@example.com and that user forwards their email to
user@yahoo.com, should we sign those forwarded messages?  I see 2 potential
problems with that.

First, let's say goodperson@legit.com sends a message to
user@example.com and we forward it to user@yahoo.com.  If we sign that
message could/should legit.com get mad at us? 

Second, let's say spammer@spammer.com sends a message to
user@example.com and it gets by our spam filtering.  We forward to
user@yahoo.com.  If we sign it, are we helping spammer.com in any way?

The purpose of DK (from http://www.ietf.org/rfc/rfc4870.txt) is
prove the "provenance and contents of an email" by digitally signing
email on a per-domain basis.  The claimed ultimate goal is "to
unequivocally prove and protect identity".

I guess my question is, by signing messages for domains one doesn't
control or manage, is one violating the spirit of DK and/or DKIM?


Michael F. Sprague     | mfs@saneinc.net
http://www.saneinc.net | System and Network Engineering (SaNE), Inc
Providers of the SpamOnion anti-spam service

Reply to: