On Jun 4, 2013, at 7:16 PM, Sam Hartman <hartmans-ietf@xxxxxxx> wrote: So, I'd like to encourage Doug to refine his work, fix errors of Dear Sam, Thank you for your interest. I have updated the draft and, and as requested by Dave Crocker, included references to prior statements by Dave Crocker and Barry Leiba made public subsequent to the conclusion of the WG DKIM specification in response to comments about the phishing threat DKIM permits. In reviewing some of Dave Crocker's responses, it appears differences between "validated the SDID" and "authenticated the SDID" could use some clarification since this is awkwardly described in RFC6376 section 6.3. Quoting the abstract of RFC5863 co-authored by Dave Crocker, "DKIM's authentication of email identity can assist in the global control of "spam" and "phishing". This document provides implementation, deployment, operational, and migration considerations for DKIM." Section 5.4 "Inbound Mail Filtering" of RFC5863 states: ,--- DKIM is frequently employed in a mail filtering strategy to avoid performing content analysis on email originating from trusted sources. Messages that carry a valid DKIM signature from a trusted source can be whitelisted, avoiding the need to perform computation and hence energy-intensive content analysis to determine the disposition of the message. '--- This is exactly how DKIM is being used and why DKIM is harmful! Additional information is being acquired, but will not alter conclusions reached. Regards, Douglas Otis |