DKIM signatures with DCC

Gary Mills
Thu Oct 29 19:27:34 UTC 2009

On Tue, Oct 27, 2009 at 10:21:03PM +0000, Vernon Schryver wrote:
> > From: Gary Mills <>
> > To: Vernon Schryver <>
> > Cc:,
> > > Reputations are not fungible or even transitive.  Real reputations are
> > > individual, and that implies that each user must decide which senders
> > > (and so DKIM or other headers) are sending solicited or tolerated bulk
> > > email.
> >
> > If the sender works for a bank, for example, they are subject to the
> > bank's policies on e-mail.  Employees of an organization are less
> > likely to send spam than are customers of an organization, for example.
> > Companies can fire employees, but they don't want to alienate their
> > paying customers.
> I fear the definition of "spam" there is not any and all unsolicited
> bulk email, but the self-serving nonsense of lawful opt-out email
> advertisers as fraud and other illegal junk but excluding lawful
> unsolicited bulk email advertising.

Yes, banks have marketing departments too.  However, they also listen
when their customers complain.  This can't be a big problem.

> My personal experience with
> very large banks and credit card companies is that they use exactly
> the same ESPs to send junk email I explicitly don't want as to send
> "security alerts" and similar that I probably should want.

Yes, I've seen that too.  The ease of contracting out your e-mail
announcements makes it attractive.  One used here even wanted our
signing key so they could make their mail look as if it came from us.

> There's
> nothing forged about junk advertising email that you've explicitly
> declined from your bank or stock broker.  That makes using DKIM or
> anything else to prevent forgery ineffective.

That is actually a big step forward.  Once an organization signs their
e-mail, they become accountable for it simply because it can't be
forged.  If they don't respond to complaints, they can be delisted or
downgraded in a reputation database.

> Concerning the general value of DKIM:
>   - Spam from Google that has DKIM signatures, like the wanted email as 
>      well as the spam from my big bank and credit card company.

This is true.  However, the origin of the e-mail is no longer in
question.  `' does respond to complaints.  So far,
we haven't whitelisted Google by DKIM signature, although we could.

>   - Should I spend the time and effort to make this mailing list DKIM
>      signed, or would my time be better spent putting DNSSEC signatures
>      on and using the ISC DLV registry?
>      (I've spent the few minutes needed to sign the zones, but haven't
>      mustered the ambition to sign up at )

I assume these are unrelated actions.  If you signed the mailing list,
it would make it easier for me to whitelist it.

>   - Are any of the ~830 mailing lists at found with an
>      obvious search DKIM signed?  What about other mail from
>  Or would your time be better spent getting
>      DNSSEC going on

So far, we are not signing outgoing-email.  It's easy for me to enable
it, though.  Some uses of e-mail may break when I do that, but
eventually I'll have to.  This points out a problem, of course.
Senders have to sign e-mail in order for recipients to check it.

> A DNS blacklist (DNSBL) is as much a reputation system as any other.
> The IP addresses in most DNSBLs are as practically unforgable as DKIM
> signatures.  The problems with DNSBLs are that they list bad guys instead
> of good guys and IP addresses are a little (but not a lot) more subject
> to change than domain names.

In a sense that it true.  I'd prefer something independant of a DNSBL
so I can use both together.

-Gary Mills-        -Unix Group-        -Computer and Network Services-

More information about the DCC mailing list

Contact by mail or use the form.