Experience with DKIM signatures and DCC

Gary Mills mills@cc.umanitoba.ca
Sat Mar 29 16:22:48 UTC 2008


I've started using DKIM signatures to whitelist some e-mail messages.
I use whitelist entries like this:

    ok      substitute Authentication-Results electra.cc.umanitoba.ca; dkim=pass (1024-bit key) header.i=@alert.bankofamerica.com

The advantage of doing it this way is that users won't do their own
whitelisting by sender address.  When they do that, they also allow
lots of phishing messages to get through.  Financial institutions seem
to be beset with this nuissance.

So far, I've only whitelisted five domains by DKIM signature.  It's
easy to find Authentication-Results lines in the sendmail logs, but
those are not sufficient for whitelisting.  For example, some of the
ones that show up most frequently are from e-mail marketing companies.
They own long domain names like @fastmarketingeleven.com,
@restaurantpromotionsprevail.com, and @prohibitthree.com that all have
the same top-level web page, a removal application.  I'm certainly not
going to whitelist those!

SPAM reputation is critical in this game.  In most cases, I can't even
guess which domains have a good reputation and which don't.  I
certainly can't investigate all of them.  I've only found one bank so
far that uses DKIM signatures.  A reputation database is the missing
ingredient.  In terms of procedure, I'd need to begin with the
Authentication-Results log lines or headers, determine the owner of
the domain, and then look up the reputation of the owner.  Is any sort
of reputation database available now?  Soon?

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.