Re: The 'failure' of SMTP RE: DNS Choices: Was: [ietf-dkim] Re: Last Call: 'DomainKeys

[Douglas Otis <dotis at mail-abuse.org>]

On Nov 22, 2006, at 9:22 AM, Paul Robinson wrote:

> All DKIM gets you fundamentally is SPF with the ability for an MTA  
> to determine "you are who you say you are, but some people think  
> you're a prick". That doesn't help as much as you think it will.

While greatly reduces false-positive filtering of phishing attempts,  
DKIM does _not_ identify the MTA (SMTP client).  While there is often  
a desire to associate various email related domains with SMTP clients  
when gauging acceptance, SPF does not offer a safe method for this.   
Associations using name comparisons rather than address lists can be  
much safer using small and simple answers.

The answer satisfying SPF makes address-path authorization both  
impractical and highly dangerous.  Currently SPF scripts may invoke  
100 DNS targeted transactions per each email-address resolution; for  
more than one per message, and more than once along the delivery  
path.   While most will disable scripts found within an anonymous  
email, how is executing SPF scripts stored in DNS any different?   
Surely script stored in DNS does not make it safe.

-Doug


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf