DKIM becomes more official

Gary Mills mills@cc.umanitoba.ca
Fri Oct 12 19:46:37 UTC 2007


I see from a recent announcement that Yahoo and Ebay/Paypal are now
supporting DKIM for e-mail domain authentication.  Their stated
purpose is to block e-mail sent to Yahoo users with forged Ebay or
Paypal e-mail addresses.  This implies that Yahoo will be blocking
e-mail that has these forged addresses.  In particular, Paypal
phishing attempts have been very efficient in fooling users lately.
I'm looking for a way to block those forgeries too, and still allow
legitimate e-mail from those addresses to get through.

With DKIM, there will be three categories of e-mail that purport to
have paypal.com senders.  The first will have a DKIM signature that
passes validation.  The second will have one that fails validation.
The third will not have the signature.  I'd expect to treat the last
two categories in the same way, assuming that Paypal have their DKIM
signatures and keys set up correctly.

How should DCC treat such e-mail?  This depends on the reputation of
the e-mail domain owner with regard to spam.  A company who's users
are employees would be seen differently than an e-mail provider who's
users are customers, because they have much less control over
customers than over employees.  Companies that specialize in spam
would also need a unique reputation.

For companies with strict reputations with regard to spam, I'd like to
be able to whitelist the first category of e-mail.  This setting would
always allow legitimate e-mail to get through.  For organizations with
lesser reputations, I'd like to blacklist messages in the last two
categories, but allow users to whitelist messages in the first
category.  DCC would need a mechanism to specify a different
DKIM-based treatment for each e-mail domain name.  Is such a thing
possible with DCC?

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.