Re: [exim] Unsigned messages from DKIM domains

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Richard Clayton
Data:  
Para: Ivo Truxa
CC: Exim-users
Assunto: Re: [exim] Unsigned messages from DKIM domains
In message <002a01d26c08$222405d0$666c1170$@???>, Ivo Truxa
<truxa@???> writes

>> >I wanted to reject or tag unsigned messages coming from domains who enforce
>DKIM
>> >on all their email in their DNS signing policy (DK,
>> >DKIM, or ADSP).
>>
>> you probably don't want to reject on that basis (you wouldn't get mail
>> from me for example)
>
>Why wouldn't I? Do you use to send unsigned messages while claiming in the
>signing policies published in the DNS that all messages from your domain are
>supposed to be signed?


I publish a DKIM key ... I make no policy claim as to what the presence
of that key does or does not mean...

... in fact my DMARC policy statement says that you should let me know
what you observe about email messages that you receive from me (and what
their signing status is), but I explicitly neither recommend that you
treat these messages as spam nor that you reject them

publishing a DKIM key without DMARC is NOT a policy statement !

>In that case your email indeed deserves to be rejected.


you may treat my email as you wish -- your loss (in my view)

>> what you should be doing is consulting the DMARC policy for the domain
>> where the domain owner will indicate whether you should reject unsigned
>> email or mark it as spam (or do nothing).
>
>I do, of course use DMARC too, but not every sender does.


DMARC policies are for receivers to understand the policy of the sender;
you should, in my view, always take note of it when it is present

>> Instead of designing your own policy engine you should, I think, be
>> using DMARC for learning what policies domain owners have announced ...
>
>This is no my own designing. That's a public standard. DKIM policies can be
>published in the DNS as TXT records in several forms:


no -- use of DKIM is not a policy statement ... that's precisely why
DMARC exists

>> >In the example above I exclude domains from the domain lists dkim_domains
>(list
>> >of well-known and/or frequently used domains using
>> >DKIM, such as Paypal, Ebay, Google, various banks, etc.)
>> ... in particular these companies are exactly those for which I am sure
>> you will find DMARC records
>
>Exactly! That's also one of the reasons I exclude them.


that's again wrong -- you should be honouring (for example) Paypal's
p=reject because it is the DMARC policy that they go to some effort to
publish, not because you think that Paypal is in some sense special

- -- 
richard                                                   Richard Clayton


Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755