[ietf-dkim] Re: 3rd party signing (designated and non-designated)

Douglas Otis dotis at mail-abuse.org
Mon Jul 31 11:42:17 PDT 2006 

On Jul 31, 2006, at 10:13 AM, Hector Santos wrote:

>
> We were seeing quite of few invalids Domainkeys with fake domains  
> that do not exist.  Are we expecting DKIM to be exception to this  
> obvious abuse rule?

DKIM will not reduce the level of abuse.  Bad actors are equally  
capable of signing, mimicking non-DKIM use scenarios, and acquiring  
new and used domain names.  DKIM coupled with additional methods to  
associate message elements with that of the signing domain should  
improve delivery.  An association with the signing domain with other  
message elements may also assist during the envelope phase.


> Keep in mind, with DKIM-BASE, we have a methodology that says  
> "Ignore Invalids."  How does anyone expect this unprotected  
> methodology to not be exploited.

Don't expect DKIM to be widely adopted when this means that mailing- 
lists and the like leads to delivery failures.  Permit a reasonable  
policy statement that enables simpler modes for utilizing DKIM.  DKIM  
without policy still provides tremendous benefit.


> With DKIM-SSP, it helps eliminate the high potential abuse of  
> "Ignore Invalids."

Please don't think of OA policy as an obstacle that email must  
avoid.  Bad actors are most able at navigating around impediments.   
Think of policy as a means for small outfits to obtain an alternative  
method for the signing domain to be associated with the OA domain.   
In general, obstacles will block valid messages, but eventually few  
abusive messages.  Aggressive blocking based upon policy will raise  
support costs and cause user dissatisfaction will little impact upon  
the overall level of abuse.  Alternatively, an association between  
the OA and signing domain might improve delivery (avoid delays or  
placement in the junk folder).

In exceptional cases where transactional messages are being spoofed,  
there is also the issue of just the display-name being visible, look- 
alike, and international domain names where spoofing might continue  
despite strict DKIM policy.  Blocking this form of abuse requires  
comparing content within the message against known good sources of  
such content based upon appearance.  This type of effort seems beyond  
DKIM policy, although DKIM sans policy assists in reducing the false  
positive rate of this process.

-Doug

More information about the ietf-dkim mailing list