> Does it follow, then, that the Right Thing to do is to avoid > building any other parts of the system (even, say, the reputation > service query protocol) until the easiest part is finished? If we knew what to build, we'd build it. We published RFC 5518 for VBR, a reputation system that sits on top of DKIM, two years ago. At this point I know of only one small VBR provider, which I manage. Also, even without general reputation systems, there are special cases that are worth doing, e.g., there's a handful of large heavily phished domains that sign all their mail, notably paypal.com and its ccTLD variants. For a medium or large mail system, it's worth adjusting the spam filters to throw away mail purporting to be from Paypal that doesn't have a signature. R's, John _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf