Domain Keys for email sender authentication [LWN.net]

Domain Keys for email sender authentication

Posted Jun 22, 2006 13:37 UTC (Thu) by job (guest, #670)
Parent article: Domain Keys for email sender authentication

What problem exactly are they trying to solve?

If I wanted authenticated e-mail I'd be running pgp/gpg by now. There are several implemenations and easy to use plugins that anybody can use. So this sort of smells like yet another misguided attempt against spam.

When we all get properly authenticated spam, then what?

to post comments

Domain Keys for email sender authentication

Posted Jun 22, 2006 14:34 UTC (Thu) by proski (guest, #104) [Link] (3 responses)

PGP signatures certify that the message was signed by a certain person. Domain keys certify that the message was sent from a certain domain. So if you get a DK-authenticated message from foo@yahoo.com, you know that foo is actually a Yahoo user.

DK-authenticated spam can be reported to the domain name owners and (if they seem to be spammers) to their ISPs. Non-authenticated spam is reported to the owners of the IP block where the SMTP server was located. It could be argued that the former is more effective.

Domain Keys for email sender authentication

Posted Jun 23, 2006 20:08 UTC (Fri) by pjones (subscriber, #31722) [Link] (2 responses)

DK-authenticated spam can be reported to the domain name owners and (if they seem to be spammers) to their ISPs.

This just doesn't mesh with reality. These days, there are two types of spammers. The first are large spamming operations, generally operating from spam-friendly countries. Generally their ISPs don't care (because they're providing net-neutral bandwidth), and the police absolutely don't care. The second kind are virus software. These are starting to become incredibly sophisticated. They know about smarthosts, and they'll know as much about using DKIM to talk to their ISP (and thus send mail the rest of the world will see as legitimate) as MS Outlook does. They may well even use Outlook's libraries to do it.

Calling NetZero and telling them that you got spam from one of their customers is essentially the same as calling them up and telling them their customers are running windows. They may put forth legitimate and concerned effort to stop the spamming, but having it signed isn't going to make it any easier.

Domain Keys for email sender authentication

Posted Jun 24, 2006 2:00 UTC (Sat) by grouch (guest, #27289) [Link] (1 responses)

There is a 3rd group of spammers: Online retailers. Remember that spam is unsolicited, commercial email. A lot of online retailers seem to believe that if you dare order from them, it is then acceptable for them to send you email advertisements you never requested.

Domain Keys for email sender authentication

Posted Jun 26, 2006 23:46 UTC (Mon) by dlang (guest, #313) [Link]

if this was all I had to deal with life would be good and very few people would care about spam.

while this type of mail is mildly annoying it's nowhere near the danger and hassle of the other 90+% of the spam which is from people you have never dealt with before.

Domain Keys for email sender authentication

Posted Jun 23, 2006 17:12 UTC (Fri) by shane (subscriber, #3335) [Link] (3 responses)

When we all get properly authenticated spam, then what?

Then the police go to the domain registrar and ask for the contact details of the owner of the domain. They then pay a friendly visit.

Or not so friendly. But living in a police state is okay as long as nobody tries to sell me Viagra, right?

Domain Keys for email sender authentication

Posted Jun 23, 2006 23:14 UTC (Fri) by giraffedata (guest, #1954) [Link] (2 responses)

I think spam already tells you where it came from, via received: headers and IP packet source addresses. I don't see that spammers are managing to spoof IP addresses, and when a received: header is forged, I think it's pretty easy to find out, if you're at the police investigation stage.

So what does DKIM add for spam prevention?

Domain Keys for email sender authentication

Posted Jun 23, 2006 23:42 UTC (Fri) by caitlinbestler (guest, #32532) [Link] (1 responses)

You need to think whitelist, not blacklist.

Authentication of the source allows you to confidently whitelist known sources, such as your own domain, without having annoying spammers forge headers just to get past your filters.

Domain Keys for email sender authentication

Posted Jun 24, 2006 2:30 UTC (Sat) by giraffedata (guest, #1954) [Link]

I was going to say that (but in a different sub-thread, because this one was about DKIM being useful for blacklists), but then I realized that out of 13,000 spams a month I get, only about 1 is "from" someone in my whitelist of a few thousand email addresses (everyone from whom I've received real mail or to whom I've sent mail in the past few years). So it's not a problem worth fixing.

As for whitelisting the originating server, I don't think that would help me personally, except in the case of your example -- mail from the local domain. And I do that today, based on the Received: header, because mail from the local domain would pass through only trusted mail servers to me.

I guess I do have a few more fake whitelist "froms" than what I said -- e.g. service@paypal.com, but I discard those with some other rules before checking the whitelist (I know it didn't come from Paypal, because Received: says the server that sent it isn't *.paypal.com). DKIM would be useful there, but still probably not worth the effort. For me, only 3 domains are a problem (paypal.com, ebay.com, chase.com).