2007-01-27
Why I think that DNS whitelists are going to fail
There's been a recent fad for DNS whitelists, the rough inverse of DNS blacklists; instead of listing claimed bad sources of email, they list claimed good sources. I've been thinking about this for a while, and I believe that such DNS whitelists are going to fail.
Why I believe DNS whitelists are doomed can be summed up in a simple question: do you whitelist Hotmail or not? If you whitelist Hotmail, you are whitelisting a known source of a not insignificant amount of spam. If you don't whitelist Hotmail, you are not whitelisting a place that sends a lot of legitimate email that's wanted by the people it's sent to. Either answer damages your DNS whitelist.
The fundamental issue is that there is no nice binary spam/no spam dividing line for hosts; instead it is more like:
- sends no spam
- sends spam but only as part of forwarding email in general
- originates some spam along with legitimate email
- originates too much spam (to the limiting point of not originating any legitimate email).
(Hotmail, Yahoo, Google Mail, and so on are #3s. Places that forward mail (whether directly for users or by running mailing lists) are sooner or later #2s.)
Among other issues, where do you draw the line between #3 and #4 and decide to (not) list someone? I don't think there are any objective criteria, so it comes down to 'too big to not whitelist', and sooner or later you (the list operator) and I (the list user) are going to disagree about that.
(You can take the intellectually pure path and only list #1, but then what's the point? Most of the interesting places we get email from are going to fall into #2 and #3.)