[Mimedefang] What about DKIM

Jan-Pieter Cornet johnpc at xs4all.nl
Mon Apr 1 18:22:59 EDT 2013


On 2013-3-27 18:48 , David F. Skoll wrote:
>>   Now that we've see/talked some stats on SPF... I'd be interested to
>> know what anyone might have to offer on DKIM usefulness.
>
> The up-and-coming thing is DMARC, which will probably enjoy good press the
> way SPF and DKIM did for a few years until it too is found to be not
> very useful. :)
> 
> DMARC is intended to close two loopholes: It lets domain owners *specify*
> what you should do on SPF fail or DKIM fail, and it gives domain owners
> feedback about failed SPF/DKIM so a domain owner can know that he/she's
> the victim of spoofing.
> 
> DMARC falls flat because it does not in any way protect what the user
> sees as the "From" field in a mail reader, so phishers can happily spoof
> mail and still be DMARC-compliant.

Hey, I like DMARC. I've even implemented DMARC verification in MIMEDefang ;) (the reporting bit is a stand-alone process). It's useful, because it will deter phishers from abusing a domain (a national dutch bank saw a decrease of 71% of the number of phishing mails spoofing their domain, since enforcing DMARC). However, it's only useful for "transactional" mails: you cannot use it for domains with ordinary users on it (so: it's for banks or other institutions that send lots of automated mails that are often the targets of phishing).

DMARC protects the domain in the From: header. No more, no less. Anyone can still say they're From: "security at qayqal.com" <evil at spammer.tld>, and most users will see the address between quotes instead of the <real> address. MUA authors are beginning to wake up to this, just a few days ago I had a friendly chat with someone from an organization that probably has the largest number of installed MUAs out there. Worldwide, already about 60% of all inboxes already apply DMARC verification. Don't write it off just yet ;)

The biggest problem for DMARC (and DKIM) is that is breaks on mailinglist mails.

> Not widely used. Also, Yahoo, who started DK, doesn't even do its
> "ADSP" extension coding correctly: 

ADSP is almost dead, and widely considered dangerous. Nobody in his right mind should be using it anymore.

-- 
Jan-Pieter Cornet
"Most seasonal greetings are sent by spammers and phishers."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 332 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20130402/6f56789e/attachment.sig>


More information about the MIMEDefang mailing list