What are the advantages of DKIM

digital-signaturesdkimemail

After making my server sign outgoing email I started to wonder what the benefits are.

This is the opposite of a previously asked question.

Naively I see two benefits:

  1. We can throw away all emails which don’t carry a
    valid signature: Wrong! Mail
    forwarders (like Mailman) will
    produce emails from someone at
    «domain which signs» which are not signed
    correctly (in their forwarded
    shape).

  2. We can skip spam checking on signed
    email: Wrong! A spammer can
    send a single email through e.g.
    gmail.com and then resend that email
    as-is (w/o changing headers) to a
    million people.

So what are the selling points of DKIM?

Best Answer

DKIM is about reputation. From the intro paragraph of the main website (dkim.org):

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery.

One place you can look up reputation is at: http://www.dkim-reputation.org/

Yes, a spammer can DKIM sign a message, but that message then goes through SpamAssassin and gets scored. You then build a database of signed domains and what kind of messages the domains send. If (say) gmail.com keeps sending spam, then SA knows to increases the spamminess level of that domain; if it sends more 'ham', then SA will learn to trust those domains/signatures.

You are correct in saying that you can't base the spam or ham status of a message with DKIM alone (at least not right away), but it helps in determining where a message has passed through. Whereas a non-signed message could have theoretically come from anywhere, having its content changed at any point in the process. Once you have at least one DKIM signature (and there can be several), you have a data point to start assessing the reputation of relays.

DKIM is about taking responsibility for the mail that goes through your relays. If you're not signing messages, then why should receivers bother trusting you? If you do sign messages, then recipient SMTP servers can learning about your relays and be confident on the reputation data they're collecting. They're just one more link in a chain (Bayesian filtering, dial-up/DSL black lists, razor content database, etc.).

For point (1): mailforwarders were thought of in the design of DKIM:

http://www.circleid.com/posts/dkim_for_discussion_lists/

For point (2): you are correct, that you still have do spam checking. But before you had no link between a domain and a spam score: every message was treated independently of every other message. Now, you potentially have something linking different messages together. Put that common link into a database and you can start doing analysis on it.

Related Topic