[ietf-dkim] SSP = FAILURE DETECTION

Douglas Otis dotis at mail-abuse.org
Fri Sep 8 17:29:40 PDT 2006 

On Sep 8, 2006, at 1:59 PM, Hector Santos wrote:

> Are you expecting them to be DKIM-READY to display this information  
> themselves?

Unless the MDA modifies the message, DKIM can be verified at the MUA  
or even the web client for that matter.  DKIM working in conjunction  
with MUA  annotations provides for many of the human factors needed  
to thwart much of the fraud.  Look-alike attacks should prove far  
less successful, for example.

> If so, why should the MTA even bother to do DKIM-PROCESS and just  
> let the offline MUA do the DKIM processing?

One advantage would be an ability to safely bypass filters for bulk  
senders where prior arrangements have been made.  The other might be  
to reduce a filter's false positive rate, minimize defanging  
operations, and improve abuse reporting.


> The bottom line is that you still need to "FILTER" something at  
> some level even if you don't use SSP at the MTA and I can assure  
> you that without SSP, I am less willing to assume product liability  
> issues by wasting time doing a ACCOUNTABILITY check at the MTA that  
> has no payoff of eliminating mail.

The "bottom line" could be annotations applied that benefit the  
recipient without filtering beyond what is normally done already.   
DKIM should improve the performance of this filtering process as  
well.  A reduction in spam might be expected by reducing the revenue  
sustained by successful fraud in the way of identity thief, and the  
introduction of malware.  Of course, it might also mean bad actors  
redouble their efforts.  The real "bottom line" is that DKIM can not  
prevent spam.  Contrary to Dave's opinion, when DKIM is coupled with  
an intelligent MUA, it should reduce the success rate for much of the  
fraud, and improve the open rates for valid messages.


To support an intelligent MUA, only email-addresses "assured" valid  
are safely annotated.  The percentage of email-addresses protected by  
DKIM can be improved through the use of policy records by:

  - extending a signing domain's ability to assure the validity of an  
email-address.

  - limiting assurances to selected email-addresses, when annotation  
are based upon a trusted-domain list.

-Doug

More information about the ietf-dkim mailing list