ietf-dkim
[Top] [All Lists]

[ietf-dkim] Some concerns with SSP impact on very small businesses

2008-01-08 13:12:11
All,

I apologize for being a bit late to the table... I've been working with
DKIM for a while now, but only recently sat down and read through the
details of SSP. 

I'm a bit concerned that widespread adoption of SSP, although it sounds
like it will work great for large organizations, will likely hurt a
large population segment of individuals, small businesses, and
non-profits. Many of these do not have the time, money, and/or expertise
to manage their own domains but are professional enough to want to
outsource their (outbound) email to a 3rd party service. Although each
member of this segment is small, collectively the segment represents a
very large number of people and small organizations. 

I'll walk though an example of how SSP is problematic for this segment. 

The typical behavior for 3rd party services that cater to individuals,
small businesses, or non-profits is that they allow the customer to
choose the From: address that is used in their outbound emails so that
the email will be recognizable to its recipients. In general, this email
address will be an address from a large ISP (e.g.
joesbikeshop(_at_)yahoo(_dot_)com), and is usually the primary electronic 
identity.
So the body From: address would be joesbikeshop(_at_)yahoo(_dot_)com, but the
sending agent would be the 3rd party service (e.g. outsource.com). The
email may be authenticated either by having outsource.com sign it
directly, or by creating customer-unique subdomains used solely for
authentication, but either way the signing would be done by
outsource.com. 

With SSP in play, once the ISP (e.g. yahoo.com) decides to publish an
SSP record things start to go downhill. The above configuration will
always trigger a lookup since the signature will never come from the ISP
domain, and the Verifier will only look for the SSP policy in the From:
address domain (yahoo.com). Since it's unlikely that any third party
signature used by outsource.com on behalf of their customers (whether
it's outsource.com directly, or unique signatures per-customer) will be
included in the list of Verifier Acceptable Third Party signatures at a
given Verifier, a record with either dkim=all or dkim=strict will cause
the joesbikeshop email to be consistently labeled as suspicious even
though it is authenticated and even though the address belongs to the
author of the email. 

In other words, once the major ISPs start publishing SSP records there
will be no way for people matching the above profile to avoid having
their mail marked as suspicious by SSP unless they stop using their ISP
email, which is most cases is the one that's recognized and trusted by
their customers. Until we get to the point where domain registrars make
creating authentication related DNS records foolproof so that
essentially anyone can do it, and until domain hosting services provide
email clients that are as familiar and robust as those of the major
ISPs, SSP is going to make life very painful for a significant segment
of the population once ISPs start publishing records with anything other
than dkim=unknown. 

How big is this segment? It mainly consists of some individuals, small 
businesses, and non-profits too small to manage their own 
domains who want more professional email and more delivery 
consulting than a simple ISP account can provide. Some fraction of these
do not even have a domain, and most of the rest have one but 
don't have sufficient access or technical expertise to manage 
it themselves (i.e., they may have a mostly static website, but 
generally don't use it for anything else including email). 

Unfortunately, I don't have a specific proposal on how to fix this
problem for the little guys without breaking the much-needed solution
for the large organizations. I'm hoping that in describing the problem
I'll trigger some new ideas that may help, or alternatively an
explanation of how this problem can already be addressed within the
constraints of the current version of the spec. 

Disclaimer: I work for an ESP whose customer base is almost entirely
made up of this segment of senders, currently over 150,000 of them. We
know a fair bit about the profile of these senders. While I obviously
have concerns about the business model impact to the ESP, I'm trying to
focus here on the impact to the many, many individuals, small
businesses, and non-profits who will feel the impact should SSP in its
current state gain traction in the current ecosystem. 

Ellen Siegel
Constant Contact


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html