Re: Domainkeys and ISPs
Michael Sprague wrote:
> On Wed, Mar 12, 2008 at 06:08:52PM +0800, Thomas Goirand wrote:
>> Michael Sprague wrote:
>>> Since I'm new to the domainkeys thing, I'm not sure what is considered
>>> okay or not. For example, I could sign every piece of email that leaves
>>> our outgoing server. It seems pretty easy to do in exim4 by setting
>>> $dk_domain to whatever I want in the router. But is that considered
>>> uncool? Do other ISPs sign ALL messages to help deal with Yahoo?
>> In the DEBIAN.Readme my colleague wrote some comments on how to use it.
>> And indeed, it does sign all outgoing email.
>> I hope that helps,
> Thanks for the info on dkimproxy, Thomas. I'll definitely check it out.
> But I'm curious on how people feel, in general, about signing every
> outgoing message. I can see why some may consider that a Bad Thing(tm).
> I think forwards are the best example.
> If we host firstname.lastname@example.org and that user forwards their email to
> email@example.com, should we sign those forwarded messages? I see 2 potential
> problems with that.
> First, let's say firstname.lastname@example.org sends a message to
> email@example.com and we forward it to firstname.lastname@example.org. If we sign that
> message could/should legit.com get mad at us?
> Second, let's say email@example.com sends a message to
> firstname.lastname@example.org and it gets by our spam filtering. We forward to
> email@example.com. If we sign it, are we helping spammer.com in any way?
> The purpose of DK (from http://www.ietf.org/rfc/rfc4870.txt) is
> prove the "provenance and contents of an email" by digitally signing
> email on a per-domain basis. The claimed ultimate goal is "to
> unequivocally prove and protect identity".
> I guess my question is, by signing messages for domains one doesn't
> control or manage, is one violating the spirit of DK and/or DKIM?
All these are very good points, and I don't know how dkimproxy is
handling it. I'll have a look, and see how we can do that, but to me
this has to be handled by dkimproxy itself. I'll try to get in touch
with the upstream.