From: Murray S. Kucherawy <msk@se...> - 2007-08-06 22:34:07
Please confine future comments about the beta releases to the beta list.
On Mon, 6 Aug 2007, Mark Martinec wrote:
> Why burdening senders with a SSP query when originator signature
I used slightly too broad a stroke in describing this. The case I need to
cover in particular is unsigned messages, which weren't covered in the
previous code. We need to be able to tell if an unsigned message
should have been signed.
Before that it was applying DomainKeys logic which stipulated that you
would only go to a policy lookup when a message failed verification.
Also, the fact that I do an SSP evaluation (i.e. call the dkim_policy()
function) doesn't always result in a DNS query. To wit, step one of the
algorithm laid out in section 4.4 of the draft says:
1. If a valid Originator Signature exists, the message is non-
Suspicious, and the algorithm terminates.
There's no DNS involved in that test so running the algorithm on all
messages, even those that succeed, is not a burden to the sender.