My current views on using DomainKeys (DKIM) here

August 14, 2015

Almost five years ago I wrote about my then-new view of DKIM and how we might someday use it ourselves when we'd updated our mailers enough. Well, the mailers have been updated for a while and not only aren't we using DKIM, I'm not inclined to do so any time soon. Prompted by someone here asking for my opinions on DKIM today, here's my current views.

As far as inbound email goes, I've experimented with a Thunderbird extension to verify DKIM signatures, which showed me that a bunch of perfectly good email gets either warnings or outright failures. Given this result it's clear that our inbound mail gateway can't do anything active with DKIM results, like start rejecting or visibly marking such email; the false positives would swamp any genuine benefit or signal that might be present.

In terms of spam and DKIM, I've seen plenty of spam that has DKIM signatures (and I assume they're valid ones). I've also seen plenty that doesn't. If DKIM data provides some sort of useful signal about spam versus non-spam for email, making use of it is best left up to the black box commercial anti-spam system that we use.

(DKIM does have some clear use in anti-spam stuff since it's a component of DMARC and some people are actively using DMARC these days. But for a collection of reasons we're not going to start enforcing other people's DMARC policies on our inbound mail gateway, although the anti-spam system may take that into account when it scores email.)

For outgoing email, my major concern remains what it was before, namely how other people's systems will behave. I simply don't know how other systems will react to all of our valid DKIM signed email, email we DKIM signed but that then got changed in transit, and email 'From:' us but without a DKIM signature from us. Without confidence that adding DKIM signing will be harmless, I don't feel any enthusiasm for doing so. At this point I'd probably only enable DKIM if there was some significant recipient system that started more or less demanding that we provide it in order to get our email delivered to them.

(I'm sure that eg GMail would like us to start doing DKIM signing, but that they'd like us to do that is exactly why I don't want to. Almost anyone who actively cares about us doing DKIM is going to use it as input into a spam scoring system, and since we consider it fully valid to send email From: our addresses but not through our machines, the last thing I want to do is enable that particular signal.)

Written on 14 August 2015.
« Enabling services on package updates is a terrible mistake
Spam scoring systems are often not deliberately designed »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Aug 14 01:50:41 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.