6 月 30 2005

看來 Domain Keys 還在測試階段.

繼昨天的這篇 .

我後來把 Domain Keys 搞定了, 從昨天到今天的 log 觀察, 我發現正在使用有 Yahoo! 跟 Gmail .
除了英文語系的網站, 大陸那邊也有人玩過, 而且有這篇對 Domain Keys 作簡略的說明.

不過, 就如我留的 comment 中所說的這段 :

不過 Domain Keys 仍然怪怪的, 我這邊遇到這種問題:
某廣告商偽造 From: 為 [email protected] , 但是因為他並不屬於 Yahoo.com 這個單位, 所以沒有使用 Domain Keys ( 他的來信裡面沒有 DomainKey-Signature: ) .
於是, 收信方就算使用了 Domain Keys , 就沒有將此信進行 verify signature 的動作, 信也就繼續流入.

Yahoo! 跟 Gmail 的 address 就算被偽造, 放進 From: 裡面, 仍然無法被辨識出來.

剛剛重新看了一次 Domain Keys 的 draft .
我發現了這兩筆有趣的資訊 :

_domainkey.yahoo.com text = “t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys”

*** Can”t find _domainkey.gmail.com: No answer

在文件中的 3.6.2 Interim sending domain policy , 對 o 這個 tag 有這兩段說明 :

o = Outbound Signing policy (“-” means that this domain signs all email, “~” is the default and means that this domain may sign some email with DomainKeys).

There is an important implication when a domain states that it signs all email with the “o=-” setting. Namely that the sending domain prefers that the recipient system treat unsigned mail with a great deal of suspicion. Such suspicion could reasonably extend to rejecting
such email. A verifying system MAY reject unverified email if a domain policy indicates that it signs all email.
Of course nothing compels a recipient MTA to abide by the policy of the sender. In fact, during the trial a sending domain would want to be very certain about setting this policy, as processing by recipient MTAs may be unpredictable. Nonetheless, a domain that states that it signs all email MUST expect that unverified email may be rejected by some receiving MTAs.

也就是說, Yahoo! 跟 Gmail 的設定中, 並沒有強制要求使用 Domain Keys 的收件方對他們的信件進行 signature verify 的動作.
所以在目前的狀況下, 就算我們使用了這個機制, 也無法對他們的信件作出完全正確的判斷.