Implications of DKIM signing for DCC filtering?

Vernon Schryver vjs@calcite.rhyolite.com
Tue May 29 21:37:48 UTC 2007


> From: Gary Mills 

> I've just been reading about Domain Keys Identified Mail at:
>
> 	http://dkim.org/
>
> It's quite impressive, although it has some intentional limitations.
> I'd expect that companies that are frequent `phishing' targets, such
> as banks, will start signing their e-mail as soon as they can.

Yes, and spammers and others are already authenticating their mail with
DKIM and SPF.   With DKIM, targets of phishing will still not distinguish
between citybank.com and citibank.com.  They will still swallow not
quite plausible bait and cough up their account numbers, social security
numbers, user names, PINS and so forth.

DKIM, SPF, and similar sender authentication schemes cannot and
will not do anything significant against phishing.  Knowing that a
mail message was not in some trivial sense forged tells you nothing
about whether you can trust what it says.  This equivalent to the
ancient mantra that a PGP signature shows that the message is good
but not that the sender is good.

To stop phishing with some sort of authentication, you probably would
have to reverse the handshake and authenticate customers to service
providers with mechanisms that cannot be copied like PINs.  Some banks
in Europe are reported to be distributing token cards to force customers
to authenticate themselves to the bank and as a side effect authenticate
the bank to the customer.


> How will DKIM signing fit into DCC?  I assume that DCC will be a good
> place to verify signatures.  Should signed and verified messages be
> exempted from bulk mail rejection by DCC?  I assume it's not that
> simple.
>
> Organizations that sign e-mail messages must take responsibility for
> those messages, but I assume that the level of responsibility will
> vary.  In the case of a bank, the e-mail senders will be employees,
> but in the case of an ISP, they will be customers.  The relationship
> between the organization and the e-mail sender is quite different in
> these two cases.  There will also be some organizations whose business
> is sending bulk mail.  I can see a need for reputation ratings, along
> with whitelists and blacklists of domain names.  How much of this wil
> fit into DCC?

Authentication of a message from stranger is the same as no
authentication at all.  Authentication makes sense only in the
context of other messages from the sender.  That a message has a
good DKIM signature tells you nothing unless the domain name is
already known and unless you can distinguish citibank from citybank.

The only sane use I've heard of for DKIM is to help ISPs like AOL manage
whitelists.  Instead of use a list of IP addresses and updates when the
list for a sender changes, AOL might watch for domain names on a list
of trusted mail service providers and check DKIM signatures for those
domain names.

You might do the same with DCC client whitelisting.  With DKIM
checks, you could put example.com in /var/dcc/whiteclnt and not
worry that mail forged to appear to come from example.com will be
whitelisted for DCC checks.  This assumes that you are among the
very few people who worry about that now.

Using DKIM that way would be just like configuring sendmail to know
about some PKI certs or SMTP-AUTH keys and fixing sendmail.cf with
hackmc to whitelist mail with valid SMTP-TLS or SMTP-AUTH keys.  Just
as you would not whitelist mail that arrives via SMTP-TLS but with a
certificate that you cannot verify, you would not whitelist mail from
a stranger merely because it has a good DKIM signature.

Given Eric Allman's interest in DKIM, I assume that sendmail will soon
be able to treat DKIM signatures like SMTP-TLS or SMTP-AUTH authentication.
Depending on how sendmail DKIM support is coded, the DCC `hackmc` script
will need small changes or no changes at all for dccm to treat DKIM
signatures from senders that sendmail trusts the same as mail with PKI
verified certs from senders that sendmail trusts.

As for manual reputations, configuring sendmail to know about some
domain names that use DKIM is like configuring sendmail to know some
PKI certs for use with SMTP-TLS.  The trouble is that manual reputations
don't scale.

DKIM does little for automatic reputations that is not already done IP
addresses.  Automatic DKIM reputations might be useful after most
legitimate mail senders publish DKIM keys, but that's not going to
happen in the foreseeable future.  Automatic IP address reputations are
available today in many flavors including DCC reputations and don't
need the cooperation fo mail senders.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.