Bye Bye Spam and Phishing with DKIM?

ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"

It's only a server validiation solution

[jimpop]

It's only a server validiation solution. DKIM won't stop spam. DKIM will only help validate the identity of the server that is sending you email. Right now I get lots of spam from legitimate Yahoo, Mail.com, and Hotmail servers. DKIM isn't going to stop that it's only going to reinforce what I already know.

Re:It's only a server validiation solution

[MightyMartian]

A quick read of the RFC tells me that this is simply a more computationally-intensive variant of SPF. It still requires rewriting the headers for forwarding, will likely not have the degree of adoption so that anyone in charge of a mail system actually feels confident enough to use it as another weighting factor for testing spam, and still leaves those sitting behind systems that still force users with outside email addresses to use their mail servers. The mere fact that any such system (SPF, DomainKeys or whatever) has to essentially remain completely compatible with older SMTP-based systems means that it really won't solve the problem. The underlying SMTP relay system has problems, and Domain Keys and SPF are just kludgy solutions that really are limited in what exactly they can solve.

few users

spam bothers few users

Dunno about anyone else, but as the admin for our company, I get more complaints about spam than anything other single item I can think of...

Sooooo close... but not going to work.

[NerveGas]

    My initial thought was "Terrific. This really has the potential to eliminate spam." Then I got to looking into the RFC... standard private/public key exchange. But, it allows for individual MUAs to posess the private key, such that they can perform the signature.

    This puts the entire burden of security in the scheme upon the MUA. So any time a machine is infected with the spam-virus of the day, that private key will be sent off to the spammers, who will send out floods of seemingly legitimately-signed email. Instead of just selling valid email addresses to other spammers, they'll sell addresses and domain keys.

    Furthermore, from an administrative perspective, that means that each time one of your user's machines is hacked and the private key compromised, you have to change your public/private keypair, including updating the MUA on *all* of your sender's machines.

    Forcing signing upon the MTAs eliminates much of that work (and hopefully the security exposure), but forces inconvenience on a good number of users. It's a tradeoff I'd be willing to make, but the RFC doesn't seem willing to do so.