mic_none

Author Domain Signing Practices Source: en.wikipedia.org/wiki/Author_Domain_Signing_Practices

In computing, Author Domain Signing Practices (ADSP) is an optional extension to the DKIM E-mail authentication scheme, whereby a domain can publish the signing practices it adopts when relaying mail on behalf of associated authors.

ADSP was adopted as a standards track RFC 5617 in August 2009, but declared "Historic" in November 2013 after "...almost no deployment and use in the 4 years since..."[1]

Concepts

[edit]

Author address

[edit]

The author address is the one specified in the From header field defined in RFC 5322. In the unusual cases where more than one address is defined in that field, RFC 5322 provides for a Sender field to be used instead.

The domains in 5322-From addresses are not necessarily the same as in the more elaborated Purported Responsible Address covered by Sender ID specified in RFC 4407. The domain in a 5322-From address is also not necessarily the same as in the envelope sender address defined in RFC 5321, also known as SMTP MAIL FROM, envelope-From, 5321-From, or Return-Path, optionally protected by SPF specified in RFC 7208.

Author Domain Signature

[edit]

An Author Domain Signature is a valid DKIM signature in which the domain name of the DKIM signing entity, i.e., the d tag in the DKIM-Signature header field, is the same as the domain name in the author address.

This binding recognizes a higher value for author domain signatures than other valid signatures that may happen to be found in a message. In fact, it proves that the entity that controls the DNS zone for the author — and hence also the destination of replies to the message's author — has relayed the author's message. Most likely, the author has submitted the message through the proper message submission agent. Such message qualification can be verified independently of any published domain signing practice.

Author Domain Signing Practices

[edit]

The practices are published in a DNS record by the author domain. For an author address john.doe@example.com, it may be set as 

_adsp._domainkey.example.com. IN TXT "dkim=unknown"

Three possible signing practices are provided for:

  • unknown, which is the same as not defining any record, says the domain might sign some, most, or all email,
  • all says all mail from the domain is signed with an Author Domain Signature,
  • discardable says all mail from the domain is signed with an Author Domain Signature; furthermore, if such signature is missing or invalid, the domain owners want the receiving server to drop the message; that is, silently throw it away.[2]

Caveat

[edit]

The ADSP specification discourages publishing any record other than "unknown" for domains with independent users and no strict policy to send mail only via designated servers, since such mail would not be signed.[3]

Even so, its purpose and limitations are not always clear. One of ADSP's authors argued it's better to maintain private lists of discardable domains, managed by trusted parties, than to have each domain declare its own policy.[4][5] Acknowledging that the spec was essentially an untested prototype, the author of a popular ADSP implementation proposed downgrading it to experimental status.[6] It was eventually reclassified as historical,[1] partly because DMARC covered a similar use case.[7]

History

[edit]

For some time ADSP was known as ASP (Author Signing Practices),[8] or the original SSP (Sender Signing Practices), until a protocol naming poll.[9]

DomainKeys, DKIM's predecessor, had an Outbound Signing policy consisting of a single character, "-" if a domain signs all email, and "~" otherwise.[10] DKIM intentionally avoided signers' policies considerations, so that DKIM does not validate a message's "From" field directly, but is a policy-neutral authentication protocol. The association between the signer and the right to use "From", a field visible to end users, was deferred to a separate specification.[11]

Eric Allman, the author of Sendmail, was an editor of the ADSP specification for the IETF DKIM Working Group.

The draft ADSP specification started in June 2007 and went through 11 revisions and lengthy discussion before being published as RFC in August 2009 - but was declared "Historic" four years later in November 2013 after "...almost no deployment and use in the 4 years since..."[1]

See also

[edit]

References

[edit]
  1. ^ a b c .Barry Leiba (25 November 2013). "Change the status of ADSP (RFC 5617) to Historic". IETF. Retrieved 26 November 2013.
  2. ^ John Levine (23 February 2008). "discardable means discardable". IETF DKIM Discussion List. mipassoc. Retrieved 28 June 2010.
  3. ^ RFC 5617. DomainKeys Identified Mail Author Domain Signing Practices. Internet Engineering Task Force
  4. ^ John Levine (17 January 2008). "1: 1 and assertions about third parties". IETF DKIM Discussion List. mipassoc. Retrieved 28 June 2010.
  5. ^ John Levine (2 June 2010). "shared drop lists". IETF DKIM Discussion List. mipassoc. Retrieved 9 June 2010.
  6. ^ Murray S. Kucherawy (2 June 2010). "the danger of ADSP, was list vs contributor". IETF DKIM Discussion List. mipassoc. Archived from the original on 16 July 2012. Retrieved 9 June 2010.
  7. ^ Barry Leiba (3 October 2013). "How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead". IETF Discussion List. IETF. Retrieved 26 November 2013.
  8. ^ John Levine (31 January 2008). "Draft of ASP, Author Signing Policy". IETF DKIM Discussion List. mipassoc. Archived from the original on 10 July 2012. Retrieved 24 June 2010.
  9. ^ Stephen Farrell (4 April 2008). "Practices protocol naming poll (Closing issue 1550)". IETF DKIM Discussion List. mipassoc. Retrieved 24 June 2010.
  10. ^ RFC 4870, Section 3.6. Policy Statement of Sending Domain. BIMI. Retrieved 26 June 2025.
  11. ^ Eric Allman (9 August 2005). "DKIM Threat Assessment v0.02 (very rough draft)". IETF DKIM Discussion List. mipassoc. Archived from the original on 13 July 2012. Retrieved 24 June 2010.
[edit]