On Nov 22, 2006, at 9:22 AM, Paul Robinson wrote:
All DKIM gets you fundamentally is SPF with the ability for an MTA to determine "you are who you say you are, but some people think you're a prick". That doesn't help as much as you think it will.
While greatly reduces false-positive filtering of phishing attempts, DKIM does _not_ identify the MTA (SMTP client). While there is often a desire to associate various email related domains with SMTP clients when gauging acceptance, SPF does not offer a safe method for this. Associations using name comparisons rather than address lists can be much safer using small and simple answers.
The answer satisfying SPF makes address-path authorization both impractical and highly dangerous. Currently SPF scripts may invoke 100 DNS targeted transactions per each email-address resolution; for more than one per message, and more than once along the delivery path. While most will disable scripts found within an anonymous email, how is executing SPF scripts stored in DNS any different? Surely script stored in DNS does not make it safe.
-Doug _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf