signing all outbound email
Paul Hoffman
paul.hoffman at vpnc.org
Fri Sep 8 11:52:34 EDT 2006
At 7:02 AM +1000 9/8/06, James A. Donald wrote:
>I do not seem to be able to use DKIM to for spam
>filtering.
Correct. It is for white-listing. It tells the recipient (MTA or MUA)
that the message received was sent from the domain name it says it
was, and that parts of the message were not altered.
>I would like to whitelist all validly signed
>DKIM from well known domains.
Good; that's what the protocol is designed to do.
>One way of doing this would be for the MTA to insist on
>a valid signature when talking to certain well known
>MTAs, and then my MUA could whitelist mail sent from
>those well known MTAs
Yes, if you are willing to throw out messages whose signatures are
broken during transit. (This is the same risk that others face with
insisting on valid S/MIME or OpenPGP signatures be on every message
from particular parties.)
>In short, I am not able to get any advantage out of
>using this protocol, which means that there is no
>advantage in sending me signed mail.
And there is no disadvantage either. There is advantages for sending
signed mail to users who have a different threat model than you have,
and there are certainly administrative advantages to signing all
outgoing mail, not looking to see "oh, if it is James, don't sign it
because he won't like it".
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list