On Sat, Nov 06, 2010 at 02:48:03AM -0000, John Levine wrote:
> Do NOT look up rDNS in the DWL. If you do, you will get random
> results, since we have no idea what rDNS our clients use.
Noted. The feature is not SpamHaus specific, and other WLs may support
rDNS domains, but we should perhaps add a note in the docs about SpamHaus,
since your list will likely be one of the most widely used.
> > In a large enough organization, someone, somewhere will unilaterally
> >engage in some marketing under the radar, so we need to think about
> >separating the known good, rather than trying to preclude the unknown
> >bad.
>
> Quite right. It may be easier to hand out DKIM signing keys to people
> who know what they're doing, and keep everything else unsigned.
I'd love to do this, but then I run into problems because DKIM has been
hijacked by the "it solves phishing" crowd, so signing only a portion of
the mail leads to issues with receiving systems (potentially Hotmail,
...) that want to use DKIM to detect "From:" spoofing, rather than use
authenticated message origin for reputation lookups. So leaving half
my mail unsigned is not very appealing.
Does it make sense in your view to use the "From:" domain to sign
*all* mail, and not add that domain to the DNSWL, while reserving
a sub-domain (that never matches "From:") for the good senders, and
applying a *second* signature for the "transactional" mail, so that
the transactional stuff is whitelisted by DNSWL users, and the
"From:" header authentication nuts get what they want also?
--
Viktor.
