2018-11-04
DKIM provides sender attribution (for both spam and not necessarily spam)
The presence of a valid DKIM signature on incoming email doesn't mean anything much about whether or not it's spam, or even if it comes from dedicated spam senders. Spammers can and do add proper DKIM signatures to their messages, and many legitimate senders don't use DKIM or don't have valid DKIM signatures, as our recent DKIM stats demonstrate. For that matter, some spam comes from legitimate places which DKIM sign all of their outgoing email (such as GMail). However, it has recently struck me that what a valid DKIM signature does provide is attribution.
If we receive a piece of email with a valid DKIM signature, the DKIM signature means that we can confidently attribute it to the signing domain. Either it was really sent by that domain or that domain has lost control over either or both of their DNS and their DKIM signing keys, and one of these is far more likely than the other. With a valid DKIM signature, all arguments related to the real sender and backscatter and so on are swept away; it was real email from the sending domain, period. In fact the sending domain went out of its way to make their email attributable to them.
This doesn't mean that the sending domain will accept replies and bounces to that email; far from it. But it does mean that the sending domain can't argue that they didn't send out the email and so are not socially obliged to accept replies. They really sent that email, in a way that provides undeniable attribution. Any refusal to accept replies is just a middle finger extended to other mail systems on the Internet (a fairly common middle finger, of course, because a lot of the modern Internet is defined by not caring about other people).
PS: It strikes me that this attribution may be one reason that large email providers such as GMail increasingly want DKIM signatures these days, because once you have definite attribution for incoming email you can do a number of things based on that with much higher certainty. And people sure can't argue with you about email 'not really coming from them'; they signed it.
(This realization was sparked by a discussion with Aneurin Price in comments in this recent entry. In a sense it's an obvious one, since DKIM's entire purpose is to validate email as coming from a specific source and the flipside of such validation is necessarily attribution.)
My view on Debian versus Ubuntu LTS for us today
When we started with Ubuntu in 2006, Debian was mired in problems such as slow releases and outdated software that drove people to run 'testing' instead of 'stable'. Ubuntu essentially offered 'Debian with the problems fixed'; Ubuntu LTS had regularly scheduled releases, offered a wide package selection of reasonably current software, and gave us a long support period of five years. This was very attractive to us and made Ubuntu the dominant Linux here ever since (cf). However, we don't and never really have entirely liked it. We weren't enthused from very early on, and we soon came to understand various limitations of Ubuntu such as them not really fixing bugs. Recently we've come to understand that a large portion of Ubuntu's packages are effectively abandonware, cloned once from Debian and then never updated (making bug reports to Ubuntu useless).
(It's not just packages in Ubuntu's 'universe' repo that are abandonware, although being in 'universe' basically guarantees it; our experience is that packages from 'main' don't see many bug fixes either. And 'universe' is much of what's important to us.)
All by itself this has started making Debian look more attractive to me. Debian doesn't have the reliable release schedule of Ubuntu but these days it's managing roughly every two years (which is the same as Ubuntu LTS), and we're not locked to upgrading only at a specific time of year the way some people are. Our user-facing machines are upgraded every Ubuntu LTS release, so they're already not taking advantage of the long LTS support cycle, and we would likely get better support for packages in practice. And since Debian and Ubuntu are already so close, switching probably wouldn't be too hard. But things are actually better for Debian than this, because since I looked last in 2014 Debian has gained some degree of relatively official long term support (and even extra extended LTS for Debian 7).
(Part of the extended support is driven by people paying for it, which is both good in general and means that it might be possible for us to contribute if we started to use Debian.)
As a result, I now have a much more positive view of Debian and I've come around to thinking that it'd probably be a perfectly viable alternative to Ubuntu LTS for us, and in some ways likely a superior one (although we wouldn't know for sure until we actually tried to use it over the full life cycle of a machine).
Will we actually switch? Probably not, unfortunately. Debian being just as good and maybe a bit better doesn't overcome the fact that we're already using Ubuntu and it hasn't blown up in our faces yet. Perhaps I'll do an experimental install of the next Debian when it comes out (hopefully in mid 2019) to see what it's like and how easy it would be to integrate into our environment.
(This entry was prompted by an exchange on Twitter, except that it turns out I was wrong about the Debian support duration; I found out about Debian LTS support as a result of doing research for this entry.)