Re: Domainkeys and ISPs

To: debian-isp@lists.debian.org
Subject: Re: Domainkeys and ISPs
From: Thomas Goirand <thomas@goirand.fr>
Date: Thu, 13 Mar 2008 00:07:37 +0800
Message-id: <47D7FFC9.4080101@goirand.fr>
In-reply-to: <20080312132232.GB11516@saneinc.net>
References: <47D73995.30203@saneinc.net> <47D7ABB4.2060305@goirand.fr> <20080312132232.GB11516@saneinc.net>

Michael Sprague wrote:
> On Wed, Mar 12, 2008 at 06:08:52PM +0800, Thomas Goirand wrote:
>> Michael Sprague wrote:
> <SNIP>
>>> Since I'm new to the domainkeys thing, I'm not sure what is considered
>>> okay or not.  For example, I could sign every piece of email that leaves
>>> our outgoing server.  It seems pretty easy to do in exim4 by setting
>>> $dk_domain to whatever I want in the router.  But is that considered
>>> uncool?  Do other ISPs sign ALL messages to help deal with Yahoo?
> <SNIP>
>> In the DEBIAN.Readme my colleague wrote some comments on how to use it.
>> And indeed, it does sign all outgoing email.
>>
>> I hope that helps,
> 
> Thanks for the info on dkimproxy, Thomas.  I'll definitely check it out.
> 
> But I'm curious on how people feel, in general, about signing every
> outgoing message.  I can see why some may consider that a Bad Thing(tm).
> I think forwards are the best example.
> 
> If we host user@example.com and that user forwards their email to
> user@yahoo.com, should we sign those forwarded messages?  I see 2 potential
> problems with that.
> 
> First, let's say goodperson@legit.com sends a message to
> user@example.com and we forward it to user@yahoo.com.  If we sign that
> message could/should legit.com get mad at us? 
> 
> Second, let's say spammer@spammer.com sends a message to
> user@example.com and it gets by our spam filtering.  We forward to
> user@yahoo.com.  If we sign it, are we helping spammer.com in any way?
> 
> The purpose of DK (from http://www.ietf.org/rfc/rfc4870.txt) is
> prove the "provenance and contents of an email" by digitally signing
> email on a per-domain basis.  The claimed ultimate goal is "to
> unequivocally prove and protect identity".
> 
> I guess my question is, by signing messages for domains one doesn't
> control or manage, is one violating the spirit of DK and/or DKIM?
> 
> thanks,
> mikeS

All these are very good points, and I don't know how dkimproxy is
handling it. I'll have a look, and see how we can do that, but to me
this has to be handled by dkimproxy itself. I'll try to get in touch
with the upstream.

Thomas

Reply to:

Follow-Ups:
- Re: Domainkeys and ISPs
  - From: "Andrew McGlashan" <andrew.mcglashan@affinityvision.com.au>

References:
- Domainkeys and ISPs
  - From: Michael Sprague <mfs@saneinc.net>
- Re: Domainkeys and ISPs
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: Domainkeys and ISPs
  - From: Michael Sprague <mfs@saneinc.net>

Prev by Date: Re: Domainkeys and ISPs
Next by Date: Re: Domainkeys and ISPs
Previous by thread: Re: Domainkeys and ISPs
Next by thread: Re: Domainkeys and ISPs
Index(es):
- Date
- Thread