Joe Horn 的啟示錄


看來 Domain Keys 還在測試階段.

繼昨天的 這篇 .

我後來把 Domain Keys 搞定了, 從昨天到今天的 log 觀察, 我發現正在使用有 Yahoo!Gmail .

除了英文語系的網站, 大陸那邊也有人玩過, 而且有 這篇 對 Domain Keys 作簡略的說明.

不過, 就如我留的 comment 中所說的這段 :

不過 Domain Keys 仍然怪怪的, 我這邊遇到這種問題:

某廣告商偽造 From: 為 , 但是因為他並不屬於 這個單位, 所以沒有使用 Domain Keys ( 他的來信裡面沒有 DomainKey-Signature: ) .

於是, 收信方就算使用了 Domain Keys , 就沒有將此信進行 verify signature 的動作, 信也就繼續流入.

Yahoo!Gmail 的 address 就算被偽造, 放進 From: 裡面, 仍然無法被辨識出來.

剛剛重新看了一次 Domain Keys 的 draft .

我發現了這兩筆有趣的資訊 : text = “t=y; o=~; n=”

*** Can’t find No answer

在文件中的 3.6.2 Interim sending domain policy , 對 o 這個 tag 有這兩段說明 :

o = Outbound Signing policy (‘-’ means that this domain signs all email, ‘~’ is the default and means that this domain may sign some email with DomainKeys).

There is an important implication when a domain states that it signs all email with the “o=-” setting. Namely that the sending domain prefers that the recipient system treat unsigned mail with a great deal of suspicion. Such suspicion could reasonably extend to rejecting

such email. A verifying system MAY reject unverified email if a domain policy indicates that it signs all email.

Of course nothing compels a recipient MTA to abide by the policy of the sender. In fact, during the trial a sending domain would want to be very certain about setting this policy, as processing by recipient MTAs may be unpredictable. Nonetheless, a domain that states that it signs all email MUST expect that unverified email may be rejected by some receiving MTAs.

也就是說, Yahoo!Gmail 的設定中, 並沒有強制要求使用 Domain Keys 的收件方對他們的信件進行 signature verify 的動作.

所以在目前的狀況下, 就算我們使用了這個機制, 也無法對他們的信件作出完全正確的判斷. :sad:

說好聽點的話, 叫做 Domain Keys 還在測試階段 .

講難聽點的話, 就是 目前的 Domain Keys 還沒啥鳥用 . XD



