My current views on using DomainKeys (DKIM) here

August 14, 2015

Almost five years ago I wrote about my then-new view of DKIM and how we might someday use it ourselves when we'd updated our mailers enough. Well, the mailers have been updated for a while and not only aren't we using DKIM, I'm not inclined to do so any time soon. Prompted by someone here asking for my opinions on DKIM today, here's my current views.

As far as inbound email goes, I've experimented with a Thunderbird extension to verify DKIM signatures, which showed me that a bunch of perfectly good email gets either warnings or outright failures. Given this result it's clear that our inbound mail gateway can't do anything active with DKIM results, like start rejecting or visibly marking such email; the false positives would swamp any genuine benefit or signal that might be present.

In terms of spam and DKIM, I've seen plenty of spam that has DKIM signatures (and I assume they're valid ones). I've also seen plenty that doesn't. If DKIM data provides some sort of useful signal about spam versus non-spam for email, making use of it is best left up to the black box commercial anti-spam system that we use.

(DKIM does have some clear use in anti-spam stuff since it's a component of DMARC and some people are actively using DMARC these days. But for a collection of reasons we're not going to start enforcing other people's DMARC policies on our inbound mail gateway, although the anti-spam system may take that into account when it scores email.)

For outgoing email, my major concern remains what it was before, namely how other people's systems will behave. I simply don't know how other systems will react to all of our valid DKIM signed email, email we DKIM signed but that then got changed in transit, and email 'From:' us but without a DKIM signature from us. Without confidence that adding DKIM signing will be harmless, I don't feel any enthusiasm for doing so. At this point I'd probably only enable DKIM if there was some significant recipient system that started more or less demanding that we provide it in order to get our email delivered to them.

(I'm sure that eg GMail would like us to start doing DKIM signing, but that they'd like us to do that is exactly why I don't want to. Almost anyone who actively cares about us doing DKIM is going to use it as input into a spam scoring system, and since we consider it fully valid to send email From: our addresses but not through our machines, the last thing I want to do is enable that particular signal.)

Comments on this page:

By Jean Paul at 2015-08-14 11:38:39:

What do you think about SPF?

By cks at 2015-08-14 13:19:38:

Strong SPF by itself is useless because it breaks many things that other people do with their email and it will never actually solve the problems it was theoretically put forward to solve. I wrote more about this in AnInternetRule and RemailingDownsides.

Having (weak) SPF records for your own domain is pragmatically somewhere between useful and necessary, because an increasing number of big email places like GMail really want you to have them. We've had weak SPF records for years as a result; they don't seem to do any visible harm.

(Strong SPF records say 'reject anything that doesn't come from my IPs'. Weak SPF records say 'email from my IPs is definitely legitimate, email from elsewhere could be'.)

By Jean Paul at 2015-08-14 15:14:43:

Thanks!

I only manage outgoing mail, so I don't get to see what happens on the other side, but I've been toying around the idea of implementing SPF and DKIM, mainly to deter spoofing.

As a spam defense mechanism such tools are pointless I think. Apart from anyone being able to configure their domains with valid SPF and DKIM, I believe it's quite common for spammers to go after mail servers too. I've come across poorly written 'contact us' pages before, which were hijacked to send spam. If that underlying machine has SPF and DKIM it might just add credibility to such emails.

Regarding your point in the main post about "email 'From:' us but without a DKIM signature from us.". If I understand correctly, you are questioning what happens when sending unsigned mail and having DKIM records in DNS. In that case, DMARC should be your friend I think.

By cks at 2015-08-14 17:21:43:

In theory a DMARC policy or more exactly the lack of a DMARC policy should be our friend with unsigned email. In practice I rather suspect that various large mail receivers do take notice of this and use it as an input to their reputation scoring systems. And why not, often it may actually be a reasonably good signal in the field.

(All you need for it to be a reasonably good signal is for most or all of the email from the domain to be legitimate email, most of it to be DKIM signed, and some amount of (unsigned) spam being forged in their name. At that point a good Bayesian learner is going to quietly notice that the lack of a DKIM signature significantly raises the odds that an email From: the particular domain is spam.)

Written on 14 August 2015.
« Enabling services on package updates is a terrible mistake
Spam scoring systems are often not deliberately designed »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Fri Aug 14 01:50:41 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.