ietf-asrg
[Top] [All Lists]

Re: [Asrg] Email Postage (was Re: FeedBack loops)

2008-11-15 17:34:38
Have you seen my earlier email about a meet at IETF to test DKIM at UNI level?

Toute connaissance est une réponse à une question

On 16/11/2008, at 5:38, Steve Atkins <steve(_at_)blighty(_dot_)com> wrote:


On Nov 15, 2008, at 2:44 AM, Matthias Leisi wrote:


Steve Atkins schrieb:

Rather than devise such a new scheme, think about why SenderID, SPF,
DomainKeys and plain old S/MIME have not taken off.  These are all
open standards, free to implement and thus should be attractive.

Yet they are not implemented.

I suspect that the majority of email sent has three of those four
implemented. If not quite a majority it's _definitely_ a large fraction.

Do you have some (circumstantial) evidence or some more-or-less hard
data to back that statement up?

From my experience, I highly doubt that this statement is true
(especially for mail sent from corporate environments - it's a bit
different when looking at outgoing mail from ISPs and webmail providers).

When I said "majority of email" I meant "majority of legitimate email", so
excluding botnet originated spam (which doesn't seem to be using DKIM
or SPF much). (I tend to categorize botnet originated spam separately
because dealing with it is so different to dealing with the rest of email,
but I really ought to be clearer about that).

If you're sending mail in large volumes then you require SPF or SenderID records to be able to send email successfully to Hotmail. Until recently you
also needed them to comfortably send mail to AOL. They're easy to
put in place and free to do, so everybody sending significant volumes
of bulk mail has SPF in place (even B2B bulk mail, as most anywhere
doing B2B bulk is also doing B2C bulk). One noticeable ISP has dropped
their SPF records to make a political statement, but in general they don't
cause any problems so they tend to be left in place even after their
perceived value has dropped to the level of, say, Hotmail.

The same is mostly true of DK or DKIM signing, due mostly to persuasion
from Yahoo and AOL, as well as people with influence who think having
DKIM deployed is better done sooner than later. Good support for signing in most all of the commercial appliances, enthusiasm from sendmail inc.
for DKIM and so on all helps that number too.

So I'm fairly comfortable saying, from personal experience, that the
majority of commercial bulk email sent (via ESPs or under the
supervision of competent delivery staff) is using SPF and most of
it is signed with one or both of DK and DKIM.

That right there is a large fraction of legitimate email
that's carried over the internet. Throw in the number of major consumer
ISPs who are signing with DK and/or DKIM and which have SPF records
in place and that's probably a majority.

Non-bulk mail sent from corporate environments? Almost lost in the noise by that point. (And Microsoft, for reasons of saving face, is about the only entity who isn't enthusiastic about DKIM, so Exchange users are likely to be the tail end of the technology curve again). IIRC there's a lot of SPF
deployment at large enterprises, though.

Very few entities of any size are checking SPF and placing a lot of
weight on the result (because it's crap). Very few entities are doing
much serious with inbound DKIM yet (because we're still feeling our
way around the operational issues before we decide to do neat stuff
with the data). But there's a lot of signing going on.

Various groups have done surveys of this sort of stuff, but they've
mostly been done by surveying DNS, rather than looking at a real
mail stream, which leads to all sorts of selection bias. The large
consumer ISPs certainly have the data, but I don't know of any that have
released it. The data I've seen tends to match my experience, but
I don't know of any recent surveys that have published this sort of
data recetly.

Cheers,
 Steve


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg