Bye Bye Spam and Phishing with DKIM? 134
ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"
yahoo press release (Score:4, Informative)
It also has some nice background information on DKIM.
--Robert
Re:few users (Score:5, Informative)
The ISP of one of my clients just turned on 'greylisting' and their mail volume dropped 71%, knocking their spam % down to 11% of their new volume.
They would rather spend the budget on stopping spam rather than upgrading their servers. It's that big of a problem.
DKIM will help (until fake 'certificates' show up) but it won't solve the problem. Only flame-throwers, and lots of them, will fix this once and for all.
Re:Sooooo close... but not going to work. (Score:4, Informative)
The problem with spam is that it isn't just an email problem. If it was, then we'd all have had this beat a long time ago.
Why would you mod this down? (Score:1, Informative)
My solution... (Score:1, Informative)
Re:I am trying DKIM (Score:1, Informative)
Basically you omit the t=y dns entry and specify o=-, but because of the relative immaturity of the standard, it might be ignored.
2) Mailing lists add a footer which messes with the signature.
It really depends at what stage you add the footer. The intent of DKIM is to verify at the MTA level, so if you can check the signature before you change the message content, DKIM is still worthwhile.
As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.
Much of the spam I encounter is from forged Hotmail (SPF/SenderID), Yahoo (DomainKeys) and GMail (SPF/Domainkeys/DKIM) accounts and implementing these systems help to control, or at least identify the source of the spam. It also helps in preventing spammers from abusing your domain because almost all free webmail providers implement at least one of these standards, and your messages are less likely to end up classified as junk.