6

After making my server sign outgoing email I started to wonder what the benefits are.

This is the opposite of a previously asked question.

Naively I see two benefits:

  1. We can throw away all emails which don’t carry a valid signature: Wrong! Mail forwarders (like Mailman) will produce emails from someone at «domain which signs» which are not signed correctly (in their forwarded shape).

  2. We can skip spam checking on signed email: Wrong! A spammer can send a single email through e.g. gmail.com and then resend that email as-is (w/o changing headers) to a million people.

So what are the selling points of DKIM?

duff
  • 63
  • 1
  • 3

2 Answers2

3

DKIM is about reputation. From the intro paragraph of the main website (dkim.org):

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery.

One place you can look up reputation is at: http://www.dkim-reputation.org/

Yes, a spammer can DKIM sign a message, but that message then goes through SpamAssassin and gets scored. You then build a database of signed domains and what kind of messages the domains send. If (say) gmail.com keeps sending spam, then SA knows to increases the spamminess level of that domain; if it sends more 'ham', then SA will learn to trust those domains/signatures.

You are correct in saying that you can't base the spam or ham status of a message with DKIM alone (at least not right away), but it helps in determining where a message has passed through. Whereas a non-signed message could have theoretically come from anywhere, having its content changed at any point in the process. Once you have at least one DKIM signature (and there can be several), you have a data point to start assessing the reputation of relays.

DKIM is about taking responsibility for the mail that goes through your relays. If you're not signing messages, then why should receivers bother trusting you? If you do sign messages, then recipient SMTP servers can learning about your relays and be confident on the reputation data they're collecting. They're just one more link in a chain (Bayesian filtering, dial-up/DSL black lists, razor content database, etc.).

For point (1): mailforwarders were thought of in the design of DKIM:

http://www.circleid.com/posts/dkim_for_discussion_lists/

For point (2): you are correct, that you still have do spam checking. But before you had no link between a domain and a spam score: every message was treated independently of every other message. Now, you potentially have something linking different messages together. Put that common link into a database and you can start doing analysis on it.

Greg Bray
  • 5,530
  • 5
  • 33
  • 52
  • As for point (2) my claim is that DKIM can be “forged” just like you can forge a `From:`-header: I sent a message to myself from gmail.com and then passed this on to `check-auth(at)verifier.port25(dot)com` as-is (telnet … 25, providing a `RCPT TO`). This message validated (using gmail.com’s reputation). So if we were to use reputation, it is fairly easy to piggyback on one of the big provider’s reputation — unlike e.g. SPF, where I can’t pose as gmail.com since my IP is not listed as one of those sending mail on behalf of Google. – duff May 17 '10 at 09:58
2

The only real advantage from my perspective is that outgoing emails are just a bit less likely to be flagged as spam. Some legitimate emails can appear to be borderline spam, for all sorts of reasons. In the mail scanners I've seen and used a valid DKIM sig will add a positive (ham) score, which may make all the difference between those emails being flagged as spam or being allowed through as ham.

Note that this is NOT the same as skipping spam checking using other methods, or skipping it altogether. It's just a matter of improving the score, not making a definitive decision.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • I should have mentioned SPF in my question. SPF to me seems to be a better DKIM in aiding “ham checkers”. Less computational overhead, doesn’t add base-64 data to the email, and effectively renders a bot net useless for sending spam if we disallow email from addresses without a stated SPF policy (okay, that might not be practical, but not unrealistic either as SPF is fairly simple to implement, doesn’t have a problem with mail forwards like DKIM has, and doesn’t have the “replay” weakness that DKIM has (where a bot net can be made to resend a signed message over and over again)). – duff May 17 '10 at 00:18
  • SPF and DKIM can have the same kind of effect on spam filtering but they are very different things. SPF can be checked before the message transfer has even begun. – John Gardeniers May 17 '10 at 00:47