On 2/12/23 12:15 AM, Wei Chuang wrote:
Consolidating the new points raised and my replies:
On Fri, Feb 10, 2023 Michael Thomas <m...@mtcc.com> wrote:
Another thing that should probably be discussed is outbound spam
filtering. At a high level, this is really about the sender
sending spam. But email afaik is silent on whether senders or
receivers should filter for spam (and if there is, it would be
good to reference it). Sender filtering is especially pertinent
and may well have clues of how a sender can mitigate it. A
breakdown of how spammers defeat that outbound filtering would be
really useful. For example, is the spam intended for mailboxes on
the sending domain (eg, gmail)? Or do they go through a two stage
process where they first get the spam through the sender, and then
test it on the intended receiving domains? All of that would be
really helpful.
Many MBP have outbound and inbound spam filters. Many domains also
use third party Outbound Filtering Services and Inbound Filtering
Services as mentioned in the Problem Statement draft.
If there is a BCP, I think it's sort of table stakes that outbound
filtering takes place. That goes for ESP's with marketing email as well.
I expect that that is just preaching to the choir though.
I understand that Google is not going to tell us exactly how it
makes its filtering and reputation decisions, but that sort of
begs the question of whether we can know what is "best" or
"common" given that we don't know what is "not best" and "not
common" out in the industry. Obviously if we can observe behavior
from the outside (eg, not signing To: and Subject:) that's fair
game. But a nebulous "lowers the reputation" leaves us to just
speculate as to what that means. That is not a very good place to
be in for a standards body.
I think that stake holders are going to have to come to some
consensus of what they will and won't share. That in turn will
inform the wg what it can and can't do. If the problem statement
remains really vague, that means the solution space is going to be
further constrained.
There will alway be this tension between what is proprietary and what
can be shared so that we collectively work on the problem. Perhaps
the way to break the impasse is to say let's move away from reputation
systems as they are inherently non-deterministic to some deterministic
solution for DKIM replay. As an example, a couple of the proposals
work on signing MAIL FROM recipients and verifying the actual
recipient against the signed recipients. The computed will be
consistent when evaluated at different times unlike reputation systems.
But that breaks indirect mail flows, right? How does a sender know that
the MX domain isn't the final domain?
Of course if you don't want to support indirect flows, all you need to
do is put up a SPF record and not DKIM sign it. No need to do any
unnatural layer violating acts.
Why do you say it weakens it? Isn't it pretty common to import the
SPF record of ESPs, and in this case outbound filters into the
sending domain's SPF record?
If it does weaken it, wouldn't that apply to the ESP case too?
Fair enough. Yes that applies there too.
But how does it weaken it? Or is that what the Fair Enough is pertaining
to?
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
