signing all outbound email

[Paul Hoffman]

At 7:02 AM +1000 9/8/06, James A. Donald wrote:
>I do not seem to be able to use DKIM to for spam
>filtering.

Correct. It is for white-listing. It tells the recipient (MTA or MUA) 
that the message received was sent from the domain name it says it 
was, and that parts of the message were not altered.

>I would like to whitelist all validly signed
>DKIM from well known domains.

Good; that's what the protocol is designed to do.

>One way of doing this would be for the MTA to insist on
>a valid signature when talking to certain well known
>MTAs, and then my MUA could whitelist mail sent from
>those well known MTAs

Yes, if you are willing to throw out messages whose signatures are 
broken during transit. (This is the same risk that others face with 
insisting on valid S/MIME or OpenPGP signatures be on every message 
from particular parties.)

>In short, I am not able to get any advantage out of
>using this protocol, which means that there is no
>advantage in sending me signed mail.

And there is no disadvantage either. There is advantages for sending 
signed mail to users who have a different threat model than you have, 
and there are certainly administrative advantages to signing all 
outgoing mail, not looking to see "oh, if it is James, don't sign it 
because he won't like it".

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com