Wednesday, May 23, 2007

Why DKIM Will Fail

CNET reports that the Domain Keys Identified Email (DKIM) project just got preliminary approval from the IETF. The usual suspects in the open source crowd (e.g., Sendmail, Postfix) have added support and a few closed source guys have too. In addition to software support, the big names in email providers (AOL, Yahoo, etc.) have added support on their end.

Notably missing is Microsoft which is significant given that most of the corporate world runs on Exchange.

Here are two reasons why DKIM is destined to become yet another irrelevant standard:

  1. Without Microsoft's backing, DKIM will lack the wide scale adoption necessary to be effective.

  2. Spammers will simply sign their spam.
On the first point, you have to stop and think about how email as a market is segmented because raw numbers alone are misleading. Email is broken down into two major categories: enterprise email and everything else. The everything else bucket includes the big email providers like Yahoo, AOL, and Hotmail, as well countless hosting providers. User for user, the everything else bucket is *huge*, but largely consumer based. While they can make the C2C and B2C worlds move, they can't make the B2B world move. Thus the kicker: enterprise email is dollar for dollar more significant.

The people willing to pay the hosting providers for services tend to be businesses that need services above basic email and are willing to pay for it. These businesses need to communicate with everyone and unless all the other enterprise users start using DKIM, Yahoo and friends will need to continue allowing non-DKIM email. After all, hosting providers are not going to anger their highest margin customers.

As for the second point, spammers have long adopted the hit and run approach to spamming. There are two approaches to working around DKIM. Approach 1: Get a legitimate domain with a legitimate signature, spam until the signature is not trusted. Ditch the domain and get a new signature. Approach 2: Leverage botnets to send email from users that have trusted accounts through trusted email servers. Continue until either the user is not trusted and the ISP shuts them down or the user cleans up their machine.

Either way, spammers will get a signature and users will continue to see spam in their inbox.

At this point, I believe that spamming is going to be an indefinite problem much like how junk mail is an indefinite problem. The most effective approaches to blocking spam will continue to be content based filtering and the arms race between content filtering technology and spammers will continue. Anti-spam companies know this -- despite DKIM and countless other "stop them at their source" projects, anti-spam's long term prospects continue to look good.

Time to go update SpamAssassin...


Blogger Jim Fenton said...

Sure, spammers will sign their messages; we have evidence that some already are. Rather than being any indication of "goodness", a valid DKIM signature provides an identity that is reliable enough to be used to accrue or lookup a reputation or accreditation. It's the use of reputation and accreditation that provides the more direct tools against spam.

9:21 PM  
Blogger Richi Jennings said...

CNET's story was based on a fundamental misunderstanding -- DKIM is not an anti-spam technique. See m'blog for more.

4:29 AM  
Anonymous Eric Gillette said...

Yeah, I agree with the others on the assertion that DKIM is not an "anti-spam" technique. It's more of a framework designed to make e-mail senders accountable for the messages they send. It helps receiving servers (the ones that check for DKIM signatures like Google and Yahoo for example) identify a sender (and his server), and makes it a little easier to establish a "credibility" or "reputation" for lack of a better term towards a sender and/or the server/domain they send from. That's why spammers would have to jump ship to a new server so quickly in the first place -- after being identified easily by their DKIM signatures. Further to this, you have to consider also that DKIM/DomainKeys is no easy thing to implement for the faint-hearted. Sure there are drop-ins and modules you can use for major MTA's like QMail and Postfix, but spammers aren't likely to go through that much trouble -- maybe they will, but I still think DKIM/DomainKeys gives us all a reason to be hopeful about the future of e-mail delivery. Whether or not Microsoft joins the race remains to be seen, however, Microsoft isn't the end-all be all. Even enterprise based e-mail will be subjected to the scrutiny of DKIM at some point, and once enough e-mail ends up in SPAM folders (and Yahoo is pretty aggressive about that), Enterprise users will begin to ask for DKIM/DomainKeys support in their systems. In addition I don't think Microsoft will be too far behind in adopting support for DKIM since they were early supporters of DKIM/SPF/SenderID in the first place.

9:53 PM  

Post a Comment

<< Home