[ietf-dkim] Re: SSP and DKIM,
was Not exactly not a threat analysis
arvel at altn.com
Tue Aug 23 17:39:19 PDT 2005
> I think we're in violent agreement. I don't see anything
> particularly wrong with SSP, but as far as I know it's still
> just a paper design which makes it a poor candidate
> for standardization at this point.
I can shed some light on that point. I've got thousands of domains using
DKIM (that means with SSP) processing ALL EMAIL through SSP (except validly
signed messages that match the FROM). This is enabled by default.
WebTrends tells me I had 1,826 downloads of my DKIM-enabled MTA just today
(and today ain't over yet). Since July 26 when I first released it there
have been 65,392 downloads of it. Assuming people don't download 30-meg
installers for no reason that means there are a lot of DKIM capable servers
being trialed and operating in the wild right now. And I need to stress,
I'm _NOTHING_. Once I talk some of my competitors into getting on board
with me (which I can and they will) the number can really ramp up fast.
This scale is not ideal but it's not at all like SSP only exists on paper.
It would be better if Yahoo or Google or somebody implemented it but this
will come when they are ready. Finally, our open-source API on sourceforge
fully supports DKIM (that means SSP).
The problem I have is that I can't populate DNS with the required entries
for my customers automagically and they are mostly all incapable of doing
this on their own. If I could just solve that problem somehow.... working
on it. But, I can and do enable the verifier by default. So, what this
means is that SSP checks are getting a workout but there are very few actual
SSP records so I can't comment from the field on the utility of SSP as it
exists today. I can comment if I hear DNS performance related problems
though. I haven't heard any yet and I've instructed my support folks to
report any performance related problem that is solved by switching off DKIM
verification. So far, so good and I will report to this list anything I
More information about the ietf-dkim