[ietf-dkim] DKIM reputation

Douglas Otis dotis at mail-abuse.org
Mon Oct 8 17:59:13 PDT 2007 

On Oct 8, 2007, at 4:54 PM, Keith Moore wrote:

> Tony Finch wrote:
>> On Thu, 4 Oct 2007, Keith Moore wrote:
>>
>>> the vast majority of domains won't be able to use DKIM without  
>>> seriously impairing their users' ability to send mail.
>>
>> You seem to be assuming that the vast majority of domains have  
>> really shitty message submission servers or connectivity.
>
> It's a combination of several things - one, requiring that a domain  
> operate its own mail submission servers which sign their mail (and  
> all that that implies, like maintaining the private keys).  Two,  
> many domains will be too small to develop enough of a reputation to  
> be whitelisted, and any spammer can create a temporary domain which  
> will have about as good a reputation as the vast majority of those  
> domains.
> Three, as long as people use Windows boxes, spammers will be able  
> to compromise them and hijack them to use them to originate mail on  
> behalf of their domains, thus degrading those domains' reputation.
>
> So basically if you're a small domain, you're SOL.  If you're a  
> large domain, people can't afford to blacklist you unless you  
> originate a lot of spam anyway.

Keith,

The DKIM component that establishes reputation is being discussed  
within the DKIM WG.  The DKIM signature offers an alternative to the  
IP address which serves as perhaps the only other assured basis for  
reputation.  Of course the IP address also shares all of these  
problems.  A DKIM signature can help avoid some of the reputation  
problems associated with shared use of an IP address (which is a  
larger problem for smaller domains).  For larger domains, there might  
be some concern related to replay abuse, where again, smaller domains  
also enjoy an advantage in being able to squelch compromised systems.

Don't be too quick to condemn DKIM.  There should be a simple  
mechanism which allows email-domains to autonomously authorize DKIM- 
domains.  This feature should defray some of your concerns.   
Delegating a zone of one's domain would be expensive to manage but is  
currently the only means now permitted.

-Doug

More information about the ietf-dkim mailing list