DKIM Deployment

[Jesse Thompson <>]

Dave CROCKER wrote:
> Jesse Thompson wrote:
> > One thing I notice is that all signatures from Yahoo and Facebook are 
> > failing, 
>
>
> Separate from the debugging discussion that needs to (or has already) 
> take place on this on the other mailing list, it might be interesting to 
> get some discussion here about current use of DKIM, problems and benefits.
>
> Also, what would make DKIM more useful?

This is something that we are trying to figure out.

Our anti-spam vendor, Sophos PureMessage, just added DKIM verification 
support, so this is the first chance I've had to realistically 
investigate the usefulness of DKIM.  I had planned to find some time to 
implement dkim-milter, so it is very convenient that Sophos has given us 
this feature for free.

My current line of thinking is that we can use DKIM for whitelisting 
mass mailers who want reliable delivery of their mailings into users' 
Inboxes.  This would eventually replace IP address and domain name based 
whitelisting.  We generally avoid whitelisting by not documenting it and 
forcing the mailers to test their mailings and prove that whitelisting 
is required.  But we do get the occasional request, and there are 
probably many other organizations that would take advantage of 
whitelisting if we made it more accessible.

The one problem area that I'm seeing, and which is exemplified by the 
problems related to Yahoo and Facebook, is consistency and reliability. 
 As I can demonstrate, some DKIM implementations think Yahoo's 
signatures are valid, and others think that they are not.  So, if we 
assume that a certain percentage of the mass mailers will have problems 
with DKIM, they may think that their signatures are valid but we might 
not validate them.  How do we avoid manually intervening with every mass 
mailing to guarantee reliable DKIM signature verification?

Since this incosistency exists (regardless of who is at fault) we need a 
way to independently verify signatures.  The email addresses provided at 
http://dkimproxy.sourceforge.net/ are useful, and would be a good model. 
 However, I think that these services should be more official and 
authoritative in order to be effective at forcing senders to fix errors 
in their signature creation software/process and receivers to fix errors 
in their signature verification software/process.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature