On 2008-03-05 at 15:26 -0600, Matt wrote: > If you use it hopefully its less likely your messages will be marked > as SPAM. I doubt DKIM is any better at blocking SPAM. They both do > basically the same thing which is insure only authorized senders are > allowed to send messages for a given domain.
At the USENIX 2007 meeting, some Sendmail folks held a BoF on use of DKIM. In that, one of the presenters stated (paraphrasing from memory) that some of the banks which have been targets of phishing attacks have been going to the large ISPs to persuade them to (a) turn on DKIM verification and (b) actively reject anything claiming to come from them (the banks) which fails DKIM verification. If this holds true, then it may be in practice that DKIM will be necessary for phishing targets and just spam-score for everyone else, to get mail through to big email providers, with manual lists of DKIM-required. In any case, turning on DKIM signing for outbound email for people with small servers (such as I'm now using, since I'm no longer an ISP postmaster) is a pretty definite win. Turning on DKIM verification has some DoS possibilities which some people are very concerned about, others less so. For myself, I DomainKeys-sign outbound and verify inbound. Further, later tonight (unless something intervenes) I'll try out the new Exim snapshot which supports dual-signing (DomainKeys + DKIM). The problem with DKIM before now has been transitioning in Exim, since you'd have to disable DomainKeys in DNS and wait for that change to expire from caches everywhere, before enabling DKIM. Being able to run both concurrently provides a protected transition mechanism. Myself, once I've transitioned to DKIM then I'll be inclined to put in a learning DB with a tool which scans Exim logs for senders who used DKIM, verifies that they're publishing DNS saying that they use DKIM (non-testing) and then updates the DB to add that domain, so that future mail from that domain will require use of DKIM. A learn-and-lock approach. Perhaps with the ability to notice disappearing DKIM DNS for those domains already in the DB. Use of a search engine found someone's notes from the BoF: http://www.l33tskillz.org/usenix2007/bof201/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
