[ietf-dkim] ADSP stats
hsantos at isdg.net
Wed Apr 20 21:08:37 PDT 2011
Murray S. Kucherawy wrote:
>> As I remember it, there was (or appeared to be) consensus to get ADSP
>> out there for testing by the entities it might work for, AND
>> simultaneously work on something for the 3rd party scenarios.
>> What ever happened to that work? I know there were a couple of drafts,
>> and Murray added support for one to OpenDKIM...if the 3rd party stuff
>> is really that important, why isn't anyone using it?
> Indeed, I asked this question at a couple of industry trade groups I attend, MAAWG being one of them. The answer I generally get is that the key delegation already supported by DKIM works just fine, so why do we need some other mechanism that hits the DNS yet again and employs some complex policy expression language?
> There has been no uptake at all in OpenDKIM for ATPS, and almost none is apparent with ADSP, although in the latter case our data can only give a range for adoption because we don't query when an author signature passes. I could tighten that down by running five figures worth of TXT queries if we really feel the need to be more accurate.
> I don't know of any public implementations of the other schemes.
Because of my continued skepticism to "flip the DKIM switch" on our
general customer base, our wcDKIM add-on implementation has been
isolated to selected testers and for those customers who had requested
ADSP and the extensions ATPS v1 and ACL are supported out of the box
and all testers and customers using it have ATPS records with ACL and
ATPS extensions enabled, and its works. It works VERY well to to
declare more than one authorized signer.
A Web-based Wizard was completed to help with the generation of the
ADSP records, and it comes with a SIMULATOR:
For my own records, I included mipassoc.org as an authorized signer of
my list membership.
Do an ADSP look up for ISDG.NET and you see the atps and acl tags:
nslookup -query=txt _adsp._domainkey.isdg.net
and if you use the wizard for ISDG.NET using mipassoc.org as an
authorized signer, to generate the ATPS record, you will see that
exposure in DNS.
nslookup -query=txt N3LSEHML2WGBFXOV7HSAK2QZSUBSEFHB._atps.isdg.net
So the implementation is there and again it works really great. Here
is the Authentication-Results header for my isdg.net submissions to
the IETF-DKIM list when our receiver gets a list mipassoc.org signed copy:
dkim=pass header.i=mipassoc.org header.d=mipassoc.org header.s=k00001;
adsp=pass policy=all author.d=isdg.net asl.d=mipassoc.org;
And if OPENKIM was checking and recording it, it SHOULD produce the
Once we officially release our new update, while I still on the fence
to expose our customers to negative domain DKIM branding for a
non-existent TRUST Database world, odds are good I will let the beast
But I can change my mind as I still have no confidence DKIM by itself
is good for our general customer base who will follow our lead, what
we do as a good thing. So its not just about ADSP, DKIM itself has a
serious deployment dilemma with little to no payoff and a high risk of
unsolicited 3rd party signers weighting down domain branding.
However, it is ADSP whether its an illusion or not, that currently
provides marketing reasons to answer the question how DKIM signing can
help. I can't just say "Batteries are required" to find an
independent Trust Assessment Service. The last time we did that with
an implementing of a new technology, serious PR problems developed
when an intermediary 3rd party broker exited its new business model
Overall, this is all about promotion. What you promote in this Product
R&D endeavor. Don't promote ADSP, it doesn't go anywhere as fast as
one may wish. Yet, there has been long time evidence by many
companies who stated they were waiting the Proposed standard to be
finished. These are companies who are sending sensitive vendor/user
messages and they are not signed by DKIM. It makes you wonder why
not, ask them privately outside this WG and you may be surprise.
When you see the reputation push, when you have no leading champion
supporting it, advocating not to use it, of course, you are not going
to get wider acceptance. Its as simple at that.
At this moment, you are the DKIM technology market leader. It is up to
you as a PRODUCT R&D engineer if you want to see ADSP used, tested and
explored among your OPENDKIM customer base.
Hector Santos, CTO
More information about the ietf-dkim