Part of the problem is that DKIM requires that email passes through the signer's MTA to get the signature added. Per user certs chained to the published cert would address this issue. This would allow someone using gmail to send as @yahoo.com. Yes, it requires all the PKI stuff like CRL's for compromised accounts. You report spam that passes DKIM to @yahoo.com who then revoke the cert. The CRL could be a DNS entry with a low negative TTL for non-existing entries. Note these CERT's don't need to be tied to account names. Yahoo would know who they were issued to but no one else. Multiple users could in theory use the same CERT. Vetted mailing list could use a CERT after re-writting Subject, attaching footers etc. This CERT would be marked as "on behalf of" indicating that it is not the actual user that is signing the message but a proxy. This still requires a mailing list to sign the outgoing email and have a collection of CERTS to do this with. Mailing lists without a CERT would reject incoming messages which would fail DKIM reporting back to Yahoo why. This would be a trigger to get a mailing list CERT. The yahoo user would need to sign off that they intended to send to a mailing list before a CERT was issued. This step could be automated, but would be a brake on process abuse. The email would have contain the necessary linkage information in the headers to get back to the Yahoo's public key. This isn't a perfect system but it would allow Yahoo to control who gets to send email as user@xxxxxxxxx. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx