[cryptography] DKIM: Who cares?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Oct 24 23:34:33 EDT 2012


Zack Weinberg <zack.weinberg at sv.cmu.edu> writes:

>Or perhaps the mere presence of a DKIM record is sufficient deterrent against 
>spam with forged From addresses at a particular domain, and that's the only 
>thing these organizations thought DKIM was good for.

I think it's more likely that DKIM is affecting spammers so little (if at all) 
that they never really cared about it, and the organisations deploying it know 
that and don't bother doing anything more than going through the motions using 
the shortest (= lowest-overhead) keys.  The thinking is that if DKIM had any 
effect on spam we'd have seen some sort of change in spam volume after it was 
deployed, but AFAIK there's been no effect on spam, just as SPF and who knows 
how many others have had no effect:

http://craphound.com/spamsolutions.txt

Having said that, if anyone at one of the DKIM-using organisations would like 
to contact me off-list to provide their point of view as to why toy keys were 
used, I'd love to hear about it.  My guess it that it's a case of 
crypto-geeks : 0, operational considerations : 1, but there may be more to it 
than that.

Peter.




More information about the cryptography mailing list