Steve Jenkins put forth on 3/15/2011 10:16 PM: > On Tue, Mar 15, 2011 at 8:54 PM, Stan Hoeppner <s...@hardwarefreak.com> wrote: >> Steve Jenkins put forth on 3/15/2011 1:34 PM: >> >>> and anyone not signing should consider it. >> >> "Anyone not using seat belts and turn signals should consider it". >> >> I can see a clear advantage to the latter, but not the former. Can you >> briefly explain why you believe everyone should sign mail?
> Of course, we both know there's no magic bullet. But signing can help > receivers verify the true provenance of the sender's message. Does it > guarantee that the message isn't SPAM? Of course not. Every SPAM I've > received from a GMail account has been signed. :) The bot spam problem has been largely solved on the receiving end. DKIM only protects against forged mail. Bot spam is where most of the forging takes place. Snowshoe spammers don't forge sender domains. They purchase cheap throw away domains by the millions. If all legit senders implemented DKIM tomorrow it would change nothing, unless all receivers REQUIRED DKIM sigs. If that were to happen, snowshoe spammers would simply start signing, eliminating any minute benefit it currently has. And then there's still the phishing and 419 problem with hacked freemail accounts, where DKIM is totally useless. > But can signing help identify and/or deter some spammers? Sure. And Identify and deter spammers? Louisiana farm land for sale? ;) > with optional ADSP extension to DKIM, it's even better. I see no > downside to signing, and therefore ANY potential upside is a good > thing. The resource overhead of DKIM signing and verifying is very > low, so what good reason is there to NOT sign? One downside is that one must install a milter, policy daemon, and/or content filter to send, or verify a DKIM sig and then score the message. > Frankly, I don't know how to answer your 20% question. Maybe on your > system, 20% is as good as it's gonna get! But based on what I know That's probably because it was a rhetorical question. DKIM can't do anything to help block that 20% because it *is* signed. > about you, I get the sense you're someone who primarily deals with > lots of incoming mail. And it always seems that where one stands Yes, 99% of my mail flow is inbound. > depends on where one sits. :) I'm sitting on the other side. We > process very little incoming mail, but send millions of legitimate > emails to our customers every week. DKIM signing them has undeniably > increased our inbox deliverability rates, and inbound processors can > know that if a mail claims to come from us but isn't signed, it's > bogus. As I mentioned above, the forged mail problem is almost entirely bot spam, solved by all other means before DKIM. The only reason your deliverability increased is because those receivers *require* DKIM for bulk senders. If you recall DKIM's genesis was at Yahoo, one of the largest receivers on the planet. Funny how it's only good for gorillas, and does nothing for the vast majority of other MXen on the planet. > Again, with no downside and little-to-no cost, even a small potential > upside is a good thing. Not in this case. There is no DKIM upside for most receivers, esp those not using scoring filters. And I'm guessing those already using scoring content filters (SA) and/or policy daemons have more than enough scoring criteria already to block most spam, and that adding a score for "DKIM pass" would do nothing to catch the few that get through. -- Stan
