On Friday 30 March 2007 14:42, Ian Eiloart wrote:
> --On 30 March 2007 00:04:52 +0200 Magnus Holmgren <holmgren@???>
> wrote:
> > On Thursday 29 March 2007 23:27, Marc Perkel wrote:
> >> If a domain has a policy of signsall=1 and there is no signature - is
> >> that good enough to reject the email?
> >
> > That's up to you if you think that every domain that declares that policy
> > actually follows it. Maybe the probability is greater than for domains
> > with SPF records ending in "-all".
>
> Actually, it's not a question of "following" the policy, but of enforcing
> it. If a domain published that policy, they'd also want to pursuade their
> users to use their MSA hosts to send mail (instead of the users ISPs, etc).
> The thing is, the domain owner can't enforce anything on email that doesn't
> flow through their hosts. That's where they require you to do their
> enforcement for them.
Good point. Ideally, users would abide by the policy if told that "otherwise
your mail may be rejected", but in reality they'll notice that that never
happens.
But I should add that DKIM, the successor of DomainKeys about to be published
as an RFC [1] doesn't have the "signsall" concept at all, because the signing
identity is in the signature field only; if there is no signature there is no
domain to query for signing policies (in DomainKeys, Sender:, or in the
absence of one, From:, gave the domain to query). This means that rejecting
mail for lack of a DKIM signature becomes a local policy, which makes sense,
I think, because the same applies to *accepting* mail that *has* a valid
signature - it's something you can do only for a few domains you trust.
[1]
http://mipassoc.org/pipermail/ietf-dkim/2007q1/007026.html
--
Magnus Holmgren holmgren@???
(No Cc of list mail needed, thanks)
"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
