Why DKIM Will Fail
CNET reports that the Domain Keys Identified Email (DKIM) project just got preliminary approval from the IETF. The usual suspects in the open source crowd (e.g., Sendmail, Postfix) have added support and a few closed source guys have too. In addition to software support, the big names in email providers (AOL, Yahoo, etc.) have added support on their end.
Notably missing is Microsoft which is significant given that most of the corporate world runs on Exchange.
Here are two reasons why DKIM is destined to become yet another irrelevant standard:
The people willing to pay the hosting providers for services tend to be businesses that need services above basic email and are willing to pay for it. These businesses need to communicate with everyone and unless all the other enterprise users start using DKIM, Yahoo and friends will need to continue allowing non-DKIM email. After all, hosting providers are not going to anger their highest margin customers.
As for the second point, spammers have long adopted the hit and run approach to spamming. There are two approaches to working around DKIM. Approach 1: Get a legitimate domain with a legitimate signature, spam until the signature is not trusted. Ditch the domain and get a new signature. Approach 2: Leverage botnets to send email from users that have trusted accounts through trusted email servers. Continue until either the user is not trusted and the ISP shuts them down or the user cleans up their machine.
Either way, spammers will get a signature and users will continue to see spam in their inbox.
At this point, I believe that spamming is going to be an indefinite problem much like how junk mail is an indefinite problem. The most effective approaches to blocking spam will continue to be content based filtering and the arms race between content filtering technology and spammers will continue. Anti-spam companies know this -- despite DKIM and countless other "stop them at their source" projects, anti-spam's long term prospects continue to look good.
Time to go update SpamAssassin...
Notably missing is Microsoft which is significant given that most of the corporate world runs on Exchange.
Here are two reasons why DKIM is destined to become yet another irrelevant standard:
- Without Microsoft's backing, DKIM will lack the wide scale adoption necessary to be effective.
- Spammers will simply sign their spam.
The people willing to pay the hosting providers for services tend to be businesses that need services above basic email and are willing to pay for it. These businesses need to communicate with everyone and unless all the other enterprise users start using DKIM, Yahoo and friends will need to continue allowing non-DKIM email. After all, hosting providers are not going to anger their highest margin customers.
As for the second point, spammers have long adopted the hit and run approach to spamming. There are two approaches to working around DKIM. Approach 1: Get a legitimate domain with a legitimate signature, spam until the signature is not trusted. Ditch the domain and get a new signature. Approach 2: Leverage botnets to send email from users that have trusted accounts through trusted email servers. Continue until either the user is not trusted and the ISP shuts them down or the user cleans up their machine.
Either way, spammers will get a signature and users will continue to see spam in their inbox.
At this point, I believe that spamming is going to be an indefinite problem much like how junk mail is an indefinite problem. The most effective approaches to blocking spam will continue to be content based filtering and the arms race between content filtering technology and spammers will continue. Anti-spam companies know this -- despite DKIM and countless other "stop them at their source" projects, anti-spam's long term prospects continue to look good.
Time to go update SpamAssassin...
posted by Steve Shah at 10:29 AM
2 Comments:
Sure, spammers will sign their messages; we have evidence that some already are. Rather than being any indication of "goodness", a valid DKIM signature provides an identity that is reliable enough to be used to accrue or lookup a reputation or accreditation. It's the use of reputation and accreditation that provides the more direct tools against spam.
CNET's story was based on a fundamental misunderstanding -- DKIM is not an anti-spam technique. See m'blog for more.
Post a Comment
<< Home