DKIM signatures with DCC

Gary Mills mills@cc.umanitoba.ca
Tue Oct 27 20:50:50 UTC 2009


On Tue, Oct 27, 2009 at 03:30:12AM +0000, Vernon Schryver wrote:
> > From: "Chris Aseltine" <ophidian@newsnation.com>
> 
> > "Gary Mills" <mills@cc.umanitoba.ca> writes:
> >
> > > I've been using DCC to whitelist messages by DKIM signature for some
> > > time now, and have been quite pleased with the results.  I keep the
> 
> > > Unfortunately, the presence of a valid DKIM signature does not
> > > indicate that the message is not spam.  It only indicates that the
> > > sending domain employs DKIM signatures.  E-mail marketing companies,
> > > each with thousands of domain names, are signing their messages in
> 
> > > So far, I've only accumulated twelve domain names that I trust not to
> > > send spam.  This number has to be greatly expanded to make DKIM
> > > signatures truely useful.  How can we do this?  The usual answer seems
> > > to be a reputation database of domain names, but I've still not found
> > > such a thing.  I'm certainly willing to pay for it.  This is the
> > > missing piece in the puzzle.
> 
> My answer is a useless rant about the lack of profit in selling genuine
> honestly-really-never-sends-spam reputations.

It's also practical ecomomics, and I appreciate that.

> If email reputations could work without manual whitelisting, then
> consumer and business credit ratings would be used for detecting
> good risks instead of avoiding bad risks.  In the real world, people
> and businesses with excellent credit don't advertise it or even hide it
> (e.g. by locking their credit bureau reports).  It's the others who
> jump through hoops like maintaining several active credit cards all
> below limit or blabbing all kinds of company confidential information
> to any phone caller that claims to be from D&B.

Yes, this is perverse.

> Reputations are not fungible or even transitive.  Real reputations are
> individual, and that implies that each user must decide which senders
> (and so DKIM or other headers) are sending solicited or tolerated bulk
> email.

If the sender works for a bank, for example, they are subject to the
bank's policies on e-mail.  Employees of an organization are less
likely to send spam than are customers of an organization, for example.
Companies can fire employees, but they don't want to alienate their
paying customers.

> Users who can't be bothered to make their own decisions should
> be encouraged to use Microsoft or Google, which my tests imply blacklist
> all mail except from senders who've done the equivalent of hiring help to
> improve their FICO credit scores.

Yes, it seems that e-mail senders are willing to pay to improve the
`deliverability' of their e-mail.  Here's an example, taken from
a recent e-mail marketing message:

    http://www.isipp.com/iadb.php

At my organization, people complain about receiving spam.  They want
me to stop it.  I wonder if they are also willing to pay.  In any
case, I see now that waiting for somebody to compile a reputation
database is futile.  It looks as if we'll have to do this ourselves.
I'll see what sort of structure I need to make that possible.  DKIM
will still be the key to this treasure.

-- 
-Gary Mills-        -Unix Group-        -Computer and Network Services-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.