DKIM becomes more official

Vernon Schryver vjs@calcite.rhyolite.com
Sun Oct 28 15:27:51 UTC 2007


> From: Gary Mills 

>                                                             The other
> extreme would be an organization that specializes in spam and uses
> DKIM signatures for their e-mail.  In that case, I'd like to reject
> all of their e-mail, validated or not.  That seems way too easy.  Why
> would such a company admit to sending spam and also use DKIM
> signatures?

You might also ask why so much spam has valid SPF records and why some
spam appears to have good PKP signatures.  I think that is because
many people drank deeply of the sender-authentication-as-FUSSP koolaid.
Recall that SPF was originall sold to statisfy the widespread demand
for authentication as the Final Ultimate Solution for the Spam Problem.
SPF, DKIM, etc. are now sold as anti-forgery tool to ease the maintenance
of manual whitelists like your "reputation database," but there are
still many people who "think" that those or some yet to be invented
sender authentation mechanism will solve the spam problem.

Spammers that choose to send from their own IP addresses instead of
botnets, broken PHP server, open SMTP relays, etc. have always included
a practically unforgeable token of their identity with their spam.
The sending IP address for email cannot in practice be forged, because
even before RFC 1948 support became a check-list item, a Mitnick attack
was far too expensive per successful TCP connection to be used for
advertising.  Spammers that prever to comply with laws, whether the
CAN-SPAM Act or computer crime laws, lose nothing by including additional
sender authenticators with their IP addresses and might gain access
to mailboxes operated by the authentication as FUSSP brigades.
At worst some people who would otherwise spend the effort to blacklist
the spammers' IP addresses and complain to ISPs will in effect add
quietly themselves to one of those expensive "suppression lists."

Besides, what you call "an organization that specializes in spam"
might be what others call a "permission based email advertising
agency" that has won a Google or Microsoft auction for the right
to send some advertising to mailboxes run by a mail provider that
uses SPF, DKIM, or whatever to ease the maintenance of a whitelist.
Whitelisting by IP address is technically perfectly sufficient, but
like blacklisting by IP address, can need a lot of manual maintenance.


  ...............

} > >>Does that header change depending on the sender?
} > 
} > At the moment, yes, eventually no.  We're hashing out the spec in a group 
} > down the virtual hall from the DKIM group.
}
} If they're all the same, which I assume means that the e-mail domain
} of the sender will no longer appear in the header text, DCC clients
} won't be able to treat different e-mail domains differently.

You might refuse to update your dkim-milter code to future versions
that is compliant with whatever the DKIM Group decides.  You could
modify future versions to have current behavior.  Or perhaps you
could convince the code's maintainers to include support the current
behavior as an option.  Or maybe future versions of the dkim-milter
code will add some other header, perhaps mandated by the future
standard, that varies with the sender but is constant among all
messages from a given sender.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.