DKIM Deployment

[Jim Fenton <>]

Since I won't be able to make it to Minneapolis for Sunday's meeting (or
at all, for that matter) I told Bob I'd write a short description, to
spur conversation, of how Cisco uses DKIM.

Cisco has deployed 19 dedicated signer/verifier MTAs around the world,
in San Jose, RTP, Amsterdam, Bangalore, Hong Kong, and Sydney.  They sit
between our edge MTAs (IronPort boxes that do the bulk of our spam
filtering) and our internal infrastructure, which is SMTP-based around a
Microsoft Exchange core.  The reason we have a separate DKIM layer has
to do with the experimental nature of the deployment:  they are running
custom-written code that isn't a standard product, and we wanted to
retain the ability to pull the plug on the DKIM experiment if things
went awry.  In a year or two of deployment, this hasn't happened.

By deploying our verification behind the main spam filters, we greatly
decrease the number of messages subject to DKIM verification.  We are
aware of messages with DKIM signatures, both valid and invalid, which
are classified as spam.  A better approach is to integrate DKIM
verification with filtering, so that messages with valid signatures from
known reliable domains don't have to undergo other analysis (possibly
resulting in a false positive).  I understand that some service
providers, particularly GMail, operate in this way.  Messages are
annotated with Authentication-results header fields.  A few of us,
myself included, have their mail routed through a particular MTA that
annotates the Subject header fields of messages purporting to come from
Cisco that lack valid signatures.  As a result, I sometimes receive
messages with subjects like:

     Subject: [dkim unverified] Re: 73rd IETF - Registration

since many mailing lists modify messages in such as way as to break DKIM
signatures.  This is one example of why it's not a good idea to reject
messages because they contain an invalid signature.

Outgoing messages also pass through these MTAs on the way out, and
acquire DKIM signatures.  We don't come close to signing all of Cisco's
outgoing mail, however, because of mail outsourcing arrangements, groups
using non-standard infrastructure, and so forth. We also don't attempt
to sign or verify internal messages that circulate only through
Microsoft Exchange.

I typically use MUA message filters to color-code the summary line of
messages having valid DKIM signatures.  That gives me some visibility on
what messages verify and which don't.  I also get a daily count of the
number of messages from each domain from which signatures verified. 
That allows us to monitor the rate of DKIM deployment; we're currently
getting valid DKIM signatures on about 5% of the mail that makes it
through the spam filter, and seeing valid signatures from about 1750
domains during a given week.  It is very difficult to get more detailed
information because of privacy concerns.

Sorry I can't join you in Minneapolis.  I'll be interested in how this
(ddx) experiment takes shape.

-Jim