[Mimedefang] DomainKeys

[Jeff Rife]

On 19 Aug 2004 at 14:14, SM wrote:

> The DomainKeys draft does not address this question yet.  The
> mailing list MTA could  use the List-Id header to sign the message
> and the recipient's mail server would verify on that header instead
> of the From: header. 

So this would be quite a few headers that need to be checked by the 
receiving MTA, and some fairly serious thought about what to do if more 
than one kind of header shows up.

> >Their "solution" (that won't work at all) for e-mail lists: "A final
> >possibility is that MLMs may not need to participate in DomainKeys as
> >recipients have other means of sufficiently recognizing legitimate MLM
> >traffic, such as List-ID: headers".  Well, gee, even if they don't
> >"participate", if the e-mail comes from a "participant", and ends up at
> >a "participant", end users may never get a say in whether to reject the
> >e-mail or not.
> 
> I don't follow what you are getting at here.

Basically, by not "participating" in DomainKeys, a mailing list must 
either remove all DomainKeys-related data or not touch the message in 
any way that makes the signature check fail.

The first just isn't an option, since (let's use this list as an 
example) my domain nabs.net might say "please reject unsigned e-mail" 
in the DNS.  Then, the roaringpenguin.com server would strip all the 
DomainKeys info, and *your* server would honor my DNS request and 
reject the e-mail.  This is not acceptable.

The second solution means that the nice footer at the end of this e-
mail must not be added, *and* no headers can be added, because that 
breaks the signature.

In particular, if I was checking DomainKeys, the e-mail I am responding 
to (that you sent) would probably be rejected if you didn't have 
"testing" mode set.


--
Jeff Rife        |  
SPAM bait:       | 
http://www.nabs.net/Cartoons/ShermansLagoon/FrozenLemmings.gif 
AskDOJ at usdoj.gov |  
spam at ftc.gov     |