Author Domain Signing Practices


In computing, Author Domain Signing Practices
is an optional extension to the DKIM E-mail authentication
scheme, whereby a domain can publish the signing practices it adopts when relaying mail on behalf of associated authors.
ADSP was adopted as a standards track RFC 5617 in August 2009, but declared "Historic" in November 2013 after "...almost no deployment and use in the 4 years since..."

Concepts

Author address

The author address is the one specified in the header field defined in RFC 5322. In the unusual cases where more than one address is defined in that field, RFC 5322 provides for a field to be used instead.
The domains in 5322-From addresses are not necessarily the same as in the more elaborated Purported Responsible Address covered by Sender ID specified in RFC 4407. The domain in a 5322-From address is also not necessarily the same as in the envelope sender address defined in RFC 5321, also known as SMTP MAIL FROM, envelope-From, 5321-From, or, optionally protected by SPF specified in RFC 7208.

Author Domain Signature

An Author Domain Signature is a valid DKIM signature in which the domain name of the DKIM signing entity, i.e., the d tag in the DKIM-Signature header field, is the same as the domain name in the author address.
This binding recognizes a higher value for author domain signatures than other valid signatures that may happen to be found in a message. In fact, it proves that the entity that controls the DNS zone for the author — and hence also the destination of replies to the message's author — has relayed the author's message. Most likely, the author has submitted the message through the proper message submission agent. Such message qualification can be verified independently of any published domain signing practice.

Author Domain Signing Practices

The practices are published in a DNS record by the author domain. For an author address, it may be set as
_adsp._domainkey.example.com. in txt "dkim=unknown"
Three possible signing practices are provided for:
The ADSP specification explicitly discourages publishing a record different from "unknown" for domains who have independent users and a usage policy that does not explicitly restrict them to sending mail only from designated mail servers, since mail sent independently of the organization will not be signed.
However explicitly that caveat is worded, it is not straightforward to understand the purpose and the limitations of ADSP. One of ADSP's authors holds that it is better to publish private lists of discardable domains, maintained by competent people, rather than letting each domain state their policy. Recognizing that the spec has shipped an untested prototype, the author of a popular ADSP implementation has proposed to downgrade ADSP to experimental status. Later on, it was actually downgraded to historical. The consideration that DMARC covers more or less the same use case was influential, but not tied in.

History

For some time ADSP was known as ASP, or the original SSP, until a protocol naming poll.
Domainkeys, DKIM's predecessor, had an Outbound Signing policy consisting of a single character, "-" if a domain signs all email, and "~" otherwise. DKIM intentionally avoided signers' policies considerations, so that DKIM does not validate a message's "From" field directly, but is a policy-neutral authentication protocol. The association between the signer and the right to use "From", a field visible to end users, was deferred to a separate specification.
Eric Allman, the author of Sendmail, was an editor of the ADSP specification for the IETF DKIM Working Group.
The draft ADSP specification started in June 2007 and went through 11 revisions and lengthy discussion before being published as RFC in August 2009 - but was declared "Historic" four years later in November 2013 after "...almost no deployment and use in the 4 years since..."