Experience with DKIM signatures and DCC

Vernon Schryver vjs@calcite.rhyolite.com
Sun Apr 20 15:32:38 UTC 2008

> From: John Levine <johnl@iecc.com>
> To: Gary Mills <mills@cc.umanitoba.ca>
> cc: dcc@calcite.rhyolite.com

> >> Take a peek at http://www.domain-assurance.org/, a little trade

> No, it's not,.perhaps you should read it again.  DAC sets standards, we 
> don't certify anything or anyone.
> VBR is basically a spec for shared domain whitelists, sort of like the way 
> the RBL format is a spec for shared IP blacklists.  Once you know that a 
> domain in a message is real via DKIM or whatever, you can use VBR to see 
> if it's on whatever whitelists you want to use.

That might make it easier to use whitelists, but it does nothing
to solve the real problem, creating and maintaining those whitelists.

> > I suppose what we need is for the recipients of e-mail to rate the
> > reputation of sending organizations.  Representing the recipients,
> > I'd be willing to pay for such a service. 

That makes one paying customer in a sea of users that would not
pay.  Without intending any offense and based on what paying customers
are willing to pay for DNSBL and other anti-spam services, it is a
customer that is probably unwilling and unable to pay enough.

> >                                            Another alternative is
> > some independant rating organization that ensures that the sender
> > takes responsibility for their e-mail.

That gets back to the conflict of interest problem.  Practically the
only sources of operating revenue for mail sender rating organizations
are senders of email.  Practically the only email senders willing to
pay for a rating are those with natural reputations that need improvement.
Consider the history of consumer goods ratings organizations.  However, if
you like the idea, consider Habeas or Ironport.

> Right.  Given the history of spam filters, user ratings don't work very 
> well because users are inconsistent.  I expect that the largest use will 
> be rating companies and trade groups or regulators that publish lists of 
> their members, e.g. the FDIC publishing lists of domains of the banks 
> they insure.

Users are inconsistent.  Besides the famous problems with "this is spam"
buttons operated by mail service providers, consider the near uselessness
of reviews of power tools, computers and other goods on the web.  Bulk
email senders are even more inconsistent.  Would you trust that FDIC
insurance implies an incoming mail message with a valid DKIM signature
is a bank statement instead of an unsolicited bulk offer for a free
credit card or brokerage services?  I wouldn't, given my piles of credit
offers from major banks using loopholes in the registery of postal
addresses that don't want credit card offers.

Such a mechanism might reduce phishing, but phishing has never been
the majority of the spam problem.  Besides, judging from the little
spam I see, the phishing problem is much improved in the last several
months.  I don't know if that is due to law enforcement efforts,
the irritating multi-part passwords required by the FDIC or someone
(the stupid questions and answers), or other things as mundane the
ever changing fads in spam.

Vernon Schryver    vjs@rhyolite.com

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.