DKIM Deployment

["RL 'Bob' Morgan" <>]

One of the questions that came up at the initial meeting regards what 
messages a site should sign.

Assume a situation where your campus has a primary set of MTAs that most 
outgoing mail goes through for all kinds of purposes:  teaching, research, 
administration, students, even alumni.  There are lots of department and 
other MTAs so not everything goes through the central ones, but most does. 
The simple assumption is that if your site decides to do DKIM it would 
sign all messages sent from these MTAs.

At the meeting I think some people were nervous about that, since we know 
that there may be many sources of spam/phishing from our campuses, via 
stolen accounts, hacked machines, even enterprising students or staff.  If 
we sign everything we'd be tarnishing our reputations and obliging 
ourselves to take responsibility in some fashion for all that bad traffic.
So we would restrict signing to some more well-behaved mail streams.

I think DKIM orthodoxy, on the other hand, says that indeed everything 
should be signed.  I think the argument goes that if you are injecting 
messages into the Internet mail system then you are "responsible" for them 
whether you sign them or not.  Signing just helps recipients determine 
more easily and accurately that it really was your MTAs that forwarded 
them.  If you let lots of bad mail go through and take no actions to stop 
it then your reputation will suffer in any case.  Signing doesn't make you 
more liable or accountable really, it just makes clear who the accountable 
party is.

Comments on this issue?  I think it's one that sites will need guidance 
on.

 - RL "Bob"