Home / Blogs

Searching for Truth in DKIM: Part 3 of 5

J.D. Falk

Last year, MAAWG published a white paper titled Trust in Email Begins with Authentication [PDF], which explains that authentication (DKIM) is "[a] safe means of identifying a participant-such as an author or an operator of an email service" while reputation is a "means of assessing their trustworthiness."

Reputation systems based on IP addresses, including Return Path's Sender Score, are used by many ISPs and anti-spam vendors to determine which mail to accept, which to reject, and which to subject to additional filtering before making a delivery decision. There, the identifier is the IP address.

The reason this sort of reputation works for delivery decisions is that it's an attempt to predict whether the sender of a message can be trusted to send mail that the recipients want — or, more accurately, whether the IP address of a message can be trusted to send mail that the recipients won't complain about. We also mix in the concept of safety, largely in the form of how likely it is that the IP address is sending phishing scams or similar bad stuff.

In part 1 of this series, we described how the DKIM "d=" identifier brings us closer to knowing who sent a message, because it can be tied to the company or person who registered that domain name.

Reputation or certification based on the DKIM d= identifier will have the same goal — and will be more effective, because it will be tied to the signing entity rather than a single IP address. When ADSP is applied, that signing entity could be the author domain (see part 2). If not, it's still a useful method for determining whether to trust the message. Any d= domain who regularly signs trusted messages becomes trustworthy, and vice versa.

Plus, d= reputation is portable — the owner of the d= domain can use that same identifier on multiple IP addresses, even bringing it to a different ESP (as we described in part 2), without having to start over from scratch or to "warm up" IPs.

While not absolutely perfect, reputation and certification based on d= will be far more accurate, effective, and convenient than when it's based solely on the IP address. But, does a trustworthy d= domain indicate a truthful message? Stay tuned for part 4.

(This article was originally published by Return Path)

By J.D. Falk, Internet Standards and Governance. More blog posts from J.D. Falk can also be read here.

Related topics: Domain Names, Email, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

NSW Government Launches .sydney Domain

New .VOTE and .VOTO Domains Now Available

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

Verisign Launches New Monthly Blog Series: Top 10 Keywords Registered in .COM and .NET

.LGBT Public Launch Begins Today

Verisign Celebrates .com's 30th Anniversary, Launches Domain Name Contest

What's in Your Attack Surface?

New .LGBT Domain Sunrise Period Begins

Minds + Machines in 2014 and 2015

DNW Podcast Interview with Antony Van Couvering

TLD Registry and Right of the Dot Establish a Domain Name Industry "Dream Team"

"Chinese Domaining Masterclass" to be Presented at NamesCon Las Vegas in January 2015

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

TLD Registry Wins Best Marketing Award at China New gTLD Roadshow

Video Interviews from ICANN 51 in Los Angeles

Update on Minds + Machines' Top-Level Domain Launches

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi