One of our marketing people just sent this to me. It's a paper produced
by PayPal about their success fighting phishing via their deal with Yahoo!
to have them discard any mail from paypal.com that wasn't signed or
whose signature doesn't verify.
http://www.blackops.org/~msk/paypal-phishing.pdf
A few things are of interest:
1) Although this paper just came out at RSA, it mentions DomainKeys
specifically. I attribute this to the fact that the project's parameters
probably didn't allow for changing of the signing technology during the
evaluation, and not to a feeling that DomainKeys is the solution of
choice.
2) The success of such a test with DomainKeys is also a proof-of-concept
that the same would work with DKIM.
3) The paper mentions SSP, an adjunct to DKIM and not DomainKeys (and an
obsolete reference at that). DomainKeys had its own SSP spec within the
original spec, but they appear to be refering to the newer stuff.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html