The IETF DKIM working group has been making considerable progress, and now has a close-to-final draft. DKIM will let domains sign their mail so if you get a message from fred@furble.net, the furble.net mail system can sign it so you can be sure it really truly is from furble.net. But unless you already happen to be familiar with furble.net, this doesn't give you any help deciding whether you want the message. This is where the new Domain Assurance Council (DAC) comes in.
DAC is a smallish trade association that Paul Hoffman and I recently started. Its goal is to define consistent ways for people to do certification and reputation based on DKIM. Certification lets a trusted third party publish a list of senders they vouch for. If you have that message from furble.net, you can check with your favorite certification service to see if furble.net is on their list of known good guys, and if so, skip the spam filters and deliver the mail. The technology to check whether a domain is on a certification service's list is not complicated; on the contrary it is so easy that if you asked 10 programmers how to do it, you would get ten similar but not quite compatible approaches. DAC has mostly spec'ed out a simple way to do the check. (It's available to anyone for free. All our specs will be.) The goal is to get everyone to check the same way, so each mail program needs only to be upgraded once to support DKIM certification, and if you decide you want to change whose list you check, you need only change a configuration setting or two.
At the moment, the only people doing certification are general purpose mail certification services. (Several of them are already DAC members.) Down the road we also expect to see a lot of industry specific certifiers. For example, the FDIC or ABA might certify mail from their member banks, since they already know who the banks are. Other trade associations or regulators might similarly certify their members or regulatees.
The next step after certification will be reputation. The difference is that certification is basically one bit saying "they're OK", while reputation is more like a credit score that gives the reputation service's opinion of a sender, or a credit report with a collection of positive and negative data from which recipients can draw their own conclusions. Reputation is harder to do than certification, since a reputation report might contain anything from a single numeric score to an entire dossier of data of different types.
If you want to see how our certification system, currently called Vouch by Reference (VBR), works drop by our web site and take a look.
By John Levine, Author, Consultant & Speaker. Visit the blog maintained by John Levine here.
To post comments, please login or create an account.
DNS SecuritySponsored byAfilias | |
MobileSponsored bydotMobi | |
DNSSponsored byNeustar UltraDNS | |
IPv6Sponsored byNominum | |
SecuritySponsored byVerisign | |
Top-Level DomainsSponsored byMinds + Machines |
Great job on VBR so far!
1)It would be nice to see it extended soon to include semantics for non-e-mail messages, such as IMs, wiki-edits, blog comments like this one, SMS, forum & USENET posts, VoIP, and could readily be applied to entire websites, and faxes…
Fortunately, the semantics are readily extensible to cover such media, though the 'all' category should be renamed (to email) or redefined (to cover all media) ASAP.
2)Some clarification as to whether, for example, a transactional email can also have advertising in it or not is needed.