DKIM becomes more official

Dan Mahoney, System Admin danm@prime.gushi.org
Fri Oct 12 21:17:36 UTC 2007


On Fri, 12 Oct 2007, Gary Mills wrote:

> I see from a recent announcement that Yahoo and Ebay/Paypal are now
> supporting DKIM for e-mail domain authentication.  Their stated
> purpose is to block e-mail sent to Yahoo users with forged Ebay or
> Paypal e-mail addresses.  This implies that Yahoo will be blocking
> e-mail that has these forged addresses.  In particular, Paypal
> phishing attempts have been very efficient in fooling users lately.
> I'm looking for a way to block those forgeries too, and still allow
> legitimate e-mail from those addresses to get through.

No...Because yahoo will be *signing* outbound emails, so that other people 
may flag emails from (and ostensibly not from) the yahoo official servers, 
this does not imply that they themselves will be using lack of such a 
signature to detect a forgery on their own end.

> With DKIM, there will be three categories of e-mail that purport to
> have paypal.com senders.  The first will have a DKIM signature that
> passes validation.  The second will have one that fails validation.
> The third will not have the signature.  I'd expect to treat the last
> two categories in the same way, assuming that Paypal have their DKIM
> signatures and keys set up correctly.

This would depend greatly on the Sender Signing Policy -- right now, the 
"policy" part of DKIM is still in draft status.  The only bit that's an 
official RFC is the part that says HOW headers and messages are signed.

> How should DCC treat such e-mail?  This depends on the reputation of
> the e-mail domain owner with regard to spam.  A company who's users
> are employees would be seen differently than an e-mail provider who's
> users are customers, because they have much less control over
> customers than over employees.  Companies that specialize in spam
> would also need a unique reputation.

I don't think DCC should, at all.

> For companies with strict reputations with regard to spam, I'd like to
> be able to whitelist the first category of e-mail.  This setting would
> always allow legitimate e-mail to get through.  For organizations with
> lesser reputations, I'd like to blacklist messages in the last two
> categories, but allow users to whitelist messages in the first
> category.  DCC would need a mechanism to specify a different
> DKIM-based treatment for each e-mail domain name.  Is such a thing
> possible with DCC?

This seems to be outside the purpose of DCC (although I invite VJS to 
contradict me on this).  You might want to look at an appropriate plugin 
for your MTA -- the sendmail milter is incredibly useful, and authored by 
one of the people spearheading the standard.

http://sourceforge.net/projects/dkim-milter/

-Dan Mahoney

--

"Hitler, Satan, those Hanson kids, anything.  Just not the curious
anteater."

-Peter Scolari, as Wayne Szalinki in "Honey, I Shrunk The Kids--The
Series"


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.