IronPort Nation,

I'd like to update you on the status of the DKIM initiative:

The DKIM IETF draft is in pretty good shape. There have been several iterations over the course of the summer and the recent version seems to be pretty solid, with only minor changes expected moving forward. Go here for a view: http://www.neophilic.com/~eric/DKIM/draft-ietf-dkim-base-06a.html

The focus now has shifted to Sender Signing Policy (SSP). SSP communicates how senders sign their outgoing mail and how verifiers should access and interpret DKIM verification results. It will tell receivers what to do with unsigned mail or invalid signature mail.

The IETF needs Industry input and IronPort is currently surveying leading customers, including the IronPort Nation members.

Below are a few questions/uses cases that we envision, can you review and comment?



1. What would you like receivers to do with your signed, unsigned and invalid signature email today? Remember unsigned and invalid signature email will be mostly spoofing, but can be your sent email.

2. What will you want receivers to do in the distant future when your are fully deployed and any kinks are worked out?

3. What, if any, feedback would you like when an email claiming to be from your domain is received by another organization and is lacking a signature or has an invalid signature?

4. Are there domains your company is responsible for that you would like to indicate never send mail (in order to prevent abuse)?

5. What use cases exist that would cause you to communicate signing policy that impacted 3rd parties (Email Marketing Service Providers, 'evite'-related issues?

6. Are there other use cases that merit consideration?

Thanks,

Nick Edwards
IronPort Systems