[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Domainkeys and ISPs

Michael Sprague wrote:
> On Wed, Mar 12, 2008 at 06:08:52PM +0800, Thomas Goirand wrote:
>> Michael Sprague wrote:
> <SNIP>
>>> Since I'm new to the domainkeys thing, I'm not sure what is considered
>>> okay or not.  For example, I could sign every piece of email that leaves
>>> our outgoing server.  It seems pretty easy to do in exim4 by setting
>>> $dk_domain to whatever I want in the router.  But is that considered
>>> uncool?  Do other ISPs sign ALL messages to help deal with Yahoo?
> <SNIP>
>> In the DEBIAN.Readme my colleague wrote some comments on how to use it.
>> And indeed, it does sign all outgoing email.
>> I hope that helps,
> Thanks for the info on dkimproxy, Thomas.  I'll definitely check it out.
> But I'm curious on how people feel, in general, about signing every
> outgoing message.  I can see why some may consider that a Bad Thing(tm).
> I think forwards are the best example.
> If we host user@example.com and that user forwards their email to
> user@yahoo.com, should we sign those forwarded messages?  I see 2 potential
> problems with that.
> First, let's say goodperson@legit.com sends a message to
> user@example.com and we forward it to user@yahoo.com.  If we sign that
> message could/should legit.com get mad at us? 
> Second, let's say spammer@spammer.com sends a message to
> user@example.com and it gets by our spam filtering.  We forward to
> user@yahoo.com.  If we sign it, are we helping spammer.com in any way?
> The purpose of DK (from http://www.ietf.org/rfc/rfc4870.txt) is
> prove the "provenance and contents of an email" by digitally signing
> email on a per-domain basis.  The claimed ultimate goal is "to
> unequivocally prove and protect identity".
> I guess my question is, by signing messages for domains one doesn't
> control or manage, is one violating the spirit of DK and/or DKIM?
> thanks,
> mikeS

All these are very good points, and I don't know how dkimproxy is
handling it. I'll have a look, and see how we can do that, but to me
this has to be handled by dkimproxy itself. I'll try to get in touch
with the upstream.


Reply to: