?
spf sender id dkim bof is about dkim spf is about verifying the relaying host dkim tries to apply a cryyptography signature to the message DKIM is a step towards attaching reputation to email short term it helps weed out phishing of your domain Many corporations don't know who all is sending email as them. ? likes subdomains because they are organizational points. Users don't know, don't care, and don't check. But the algorithms do. ? thinks that big ISPs are going to drive this, because that's where all the email goes to. CAN-SPAM is complicated for corporations (specifically: marketing departments). The primary goal of DKIM, for the short run, is to prevent phishing. The proposed signing standard has been released as an RFC. DKIM isn't hop to hop (a la TLS), but it's not full end-to-end (a la S/MIME). Users get confused amazingly easily. Tunnels through non-DKIM-ware MTAs *most* of the time. The idea behind DKIM wasget something simple out now that works.DKIM can dramatically drop the false-positive rate—if it's signed, and from a known friend, you could (if you wanted to) short-circuit antispam/antispam scanning that could possibly generate a false-positive and reject/quarantine the message. Several large online retailers (you know the ones) have gone to large ISPs (you know the ones) and have pleaded for them to REJECT anything from them that's not signed, because it is *absolutely* a phish if it's not signed. We can do this now, with side-deals, but we need something like SSP to do this automatically. ThingsWe will personally go out with a stick and beat them.Yup. And you can imagine how long that's going to last.Some people are doing anti-social stuff, and there's no reason to tolerate that. So we're just going to stop them.It's going to be awfully hard to defeat it if your ISP won't even deliver it to your Inbox in the first place.Short run: slow-changing list of well-known, major signers. (E.g.: amazon.com can probably be trusted, and they probably won't go away tomorrow.) 2,000 new domains show up every day. Almost every single one of them is a spammer—but not all. Reputation becomes an input, not the absolutel decision. There are some things, that if you leak them out via email, you will go to jail. This is a great tool for influencing policy management. Spam around Christmas is very different than spam in June. If it goes through Exchange, it will break, because Exchange modifies the message. ? reported that accessing an Exchange mailbox via IMAP can pull something that looks a *lot* more like an RFC2822 message than the munging Exchange produces when you forward via Outlook. Microsoft has been pushing SDIF (Sender ID Framework). About a week ago, Greg Easel (?) from Microsoft told the audience in Dublininstall and use both DKIM and SDIF.Allman recommends relaxed; others recommend simple. sendmail has released an open-source library and milter for DKIM. If you think you can stop China from putting kanji in email addresses (via IEA), think again. IEA is unstoppable. The mood these days isbounce, notdowngrade. On EAI:Who could have predicted that they'd actually want to communicate in their own language?Flag days don't work. The only one that ever succeeded was the switch from ARPANET to TCP/IP, and that occurred when there were < 300 hosts on the network. We will never see another flag day. Most of the big financial institutions have interfaces between their Exchange infrastructures (the soft gooey center) and the Internet. Maybe that will change (if Microsoft can get people to drink that Kool-Aid). A certain large ISP very near to San Jose has issued edicts to certain large senders that incoming messages that are not signed will be limited to 5 recipients only.Large ISPs don't say things in public. Eric was an invitee at MAUG, and the big ISPs said a *whole* lot of things that they probably don't want you to know.Goodmail is fine, so long as they don't try to exclude other mechanisms. At this moment, ? sees no indication that this is going to happen. A certain large ISP will be moving to DKIM before the end of the year. Someone in the audience mentioned that another ISP is very interested in using DKIM for verification. There's nothing with accreditation, but you have to be careful with it (e.g., opt-in versus opt-out). The ISPs have very sophisticated algorithms looking at what you *send*. They're very interested in what you're sending. One of the big debates is whether ISPs block outgoing port 25. At MAUG, a big ISP claimed that they couldn't block outbound port 25. The audience groaned, and 3 ISPs immediately stood up and said they block outbound port 25 and have had no problems with it. Bulk senders are almost on the verge of panic, because they realize that they're going to be accountable for the first time. Financial institutions are moving to requiring (SPF, DKIM, TLS, ?) for all of their members.
You can go to the index of my Usenix notes.