DKIM Extensions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

The NOMAIL policy is declared in an SSP record using the tag "NOMAIL". No parameters are specified for the NOMAIL policy. If specified the NOMAIL policy states that no mail is sent from the domain to which it is attached. All mail that purports to have been sent by that domain MUST be considered suspicious.

The NULL Signature algorithm is a DKIM signature algorithm that always produces the same signature value regardless of the message contents. A message signed with the NULL signature MUST be treated as if it were unsigned for all purposes other than verifying compliance with a DKIM policy. For purposes of policy compliance, a message that carries a NULL signature is considered to be compliant if and only if it is consistent with the signing restrictions specified in the key record. A key record that specifies the NULL signature algorithm SHOULD specify usage restricted to specific senders.

The x509 key record extension specifies a URL from which a certificate chain corresponding to the key specified in the key record may be obtained. The key chain is specified as a CMS SignedData structure with no data.

The ideas in this document arose from extensive discussions with the DKIM working group, in particular Hector Santos and others.

This document requests allocation of a DKIM SSP tag 'NOMAIL'

The NOMAIL policy MAY be employed to perform a denial of service attack.