So my friend, Fred Tabsharani of Port25 Solutions, ran an interesting interview Franck Martin from Genius.com on the future of DKIM and Domain-Based Reputation. This has been in the works for a few weeks now and really came out nice.
5 Questions with Franck Martin on the Future of DKIM and Domain-Based Reputation
Below is my interview with Franck Martin, Email Deliverability Services Engineer at Genius.com., and contributing group member of the Internet IETF, in its effort to standardize the use of DKIM. This interview was conducted via Skype since Franck just happens to live in Suva, Fiji.
Q:FT – RFC 4871 (DKIM) essentially makes RFC 4870 (DomianKeys) obsolete. In your opinion, what’s the future of DKIM and its overall traction in email industry thus far?
A:FM – The greatest thing that has come from the Internet Engineering Task Force (IETF) is that when an organization or an individual develops an Internet communication protocol, such as DKIM, the IETF makes it rock solid. Essentially they look at it from all angles, strengthen it, and put their stamp of approval on it to basically say it has the quality of a standard. This shows its maturity and robustness as well as acceptance throughout the industry. DKIM is not here to solve the spam problem, it’s just here to validate the domains that are taking ownership for sending the email. DKIM is often times confused with signing. Yes, DKIM signs some email headers as part of its process, but it does not sign the whole email. PGP, and S/MIME are protocols that sign emails and are more complex to implement than DKIM because they require user participation. DKIM requires only the mail administrator participation (and he/she is supposed to understand emails better than any other classic user). DKIM also helps mitigate some phishing attacks, but here too, it will not solve phishing. An email cannot claim to be from say ebay.com, have a DKIM signature related to ebay.com and not be validated back to ebay.com, providing that ebay states, via Author Domain Signing Practices (ADSP) or other means, that all their email will have their own DKIM validation. Unfortunately, it is not that simple, because the recipient mail server needs to perform various checks with the information that DKIM, ADSP and other tools provide. I could send an email claiming to be from ebai.com and be DKIM validated back to ebai.com, and a lot of users may not recognize that ebai.com is not the same domain as ebay.com.
Q:FT – Have we reached an inflection point with DKIM?
A:FM – For the moment it’s the big players that are implementing DKIM. If you want to have a FBL through any of the ISPs, then DKIM is a requirement. For the smaller players, the value will come through the implementation of tools like SpamAssassin. SpamAssassin is adding rules so that emails which pass the DKIM signature may be whitelisted. A recent study done by Cisco shows there has been a strong growth of emails using DKIM. It is more complex to identify DKIM use, because it is not like SPF, querying domains does not indicate the potential use of DKIM like SPF does. Author Domain Signing Practices (ADSP), another IETF initiative, is a complement to DKIM. It essentially adds information to the validation process to specify the policy of using DKIM for a domain name. If you receive an email that does not include a DKIM signature, you can check the domain name. If it states that all emails will have DKIM, then you can safely drop/trash that email. SpamAssassin is also implementing such rules. There is another value of DKIM. For instance when a bank sends you an email, you can validate the domain of the bank, but how do you know it truly is a bank? A well-known industry association could include their DKIM validation as a third party which would provide a more influential path for reputation. Finally with IPv6, IP based reputation has some serious challenges to overcome due to the database size required to contain all possible IPs. Domain based reputation may be the only way to have email work over IPv6. At Genius.com we strongly support the adoption of DKIM (we use it too of course), and personally, when I was on the board of the Internet Society (which is strongly linked to the IETF), I supported its Trust and Identity initiative (which includes promoting DKIM adoption).
Q:FT – We’ve noticed that email headers from large companies utilize multiple modes of email authentication. Some in fact are using all four—DKIM, SPF, Domain Keys, and SenderID. Is this redundant? Can we now officially call DKIM the standard?
A:FM – DomainKeys is becoming obsolete. Since Yahoo is moving to DKIM, there is no more reason to use DomainKeys. Organizations such as MAAWG and ESPC require at least one form of signing and DKIM is one recommended method. It is likely to become a requirement quickly because of various industry reputation organizations. SenderID does not seem to have traction anymore, but SPF is a different story. First for a sender, SPF is very easy to implement because all you need is to add one record to your DNS, and SPF provides a unique functionality in that if you want to know all the servers that a particular domain is sending from, you can use SPF to acquire a list of IP addresses. This is helpful when you try to figure out if you are blocking any IPs when a customer complains he is not receiving emails from the email address of his mother. This shows there is a need for this type of information.
Q:FT – Regarding the early adoption with domain-based reputation by ISPs, where in the email header will these reputation effects be based?
A:FM – My understanding is that it’s in the d= string, where the domain reputation will be based. Organizations will use this domain as a reputation filtering mechanism when checking against DNS records (ADSP) and past behavior. Essentially, what do we know about this sender (or domain)? As I understand, per IETF RFC, only the d= should be the criteria for reputation analysis. Again, each ISP may treat this differently, and ongoing testing is taking place. Because each ISP has different business rules with domain-based reputation, the IETF is trying to confirm to various implementers what is the intent of the standard.
Q:FT – Will there still be a need to warm-up IPs and establish a reputation through ISPs before sending large quantities of email?
A:FM – Since each ISP has its own filtering systems, warming up IPs would probably still be required to a certain extent. Since DKIM naturally links to domain reputation, and since DKIM will help domain-based reputation, it will be faster to warm up IPs but we still have to exercise caution given that each ISP has its own set of business policies. Now, on a side note, because we move to domain reputation, it will be useful to know who is behind each domain. On its side, ICANN is trying to limit bad behavior with domain registration such as “domain tasting.” Domain tasting it is a practice where you can register a domain and drop it within the grace period without having to pay for it. It allows people to use domains to send emails from and switch to another domain after a few days, making it difficult to track the source of the emails and which entity is responsible for that domain. There are other concerns with domain registration, but that's another issue. However, we have be certain that DKIM does not become an ICANN issue, because too many people are trying to bloat ICANN's mission. DKIM is an email administrator tool and may become a requirement but I don't think we will see in the future any major player, dare to drop any emails which does not include DKIM.
Franck has gone on record to say that when I visit Fiji, he will have an exotic Fijian cocktail waiting ☺
Don't Just Send, Deliver!