I thought it might be useful to chime in here. My goal is simply to show where
a commercial sender/receiver might see some value, with Daniel's APNIC
presentation in mind. I'm not asserting that any of this applies to a regional
ISP per se, but insofar as it applies to their customers they may wish to
understand it.
If you want to use any of what follows outside of this mailing list, contact me
before doing so.
Bank of America has been using SPF and DKIM for more than a few years now. We
have a rich mix of originators of message traffic using various domains and
subdomains, located on both sides of traditional corporate boundaries, and
targeting different internal and external recipients. We've gone to
considerable effort to implement these techniques as widely as possible, and to
educate and encourage other corporations to do so.
We have done this because we believe that doing so will enable us to better
protect our customers from fraud and abuse, with respect to our brands and
relationships. Speaking about this publically may help others reach similar
conclusions, which may help protect our customers from being compromised
through other brands and relationships. So for us, this is a very real and
practical matter.
Early on, even without 100% coverage we were able to address certain issues
around bad actors targeting our employees. We found that to be of great
benefit, even though it wasn't why we started down this path.
We see real value in DKIM for what we believe it gives us - a way for a
receiver to tell whether or not a given message using one of our domains was
sent by ourselves or one of our delegates. There are definitely cases where the
technique breaks down, and there is also an added cost to our operations, but
these factors have not changed our cost/benefit decisions.
There hasn't been much press coverage lately about high-profile bilateral
DKIM+SSA adoption, such as the Yahoo and eBay/PayPal arrangement. However in
the past year or so several startups have appeared that seek to act as SSA
clearinghouses or brokers. This approach certainly seems more practical than a
proliferation of bilateral agreements, offering some kind of uniform mechanism
while avoiding real/perceived limitations of ADSP - but you've got to have a
handle on DKIM to participate.
Also over the past several years a lot of MTA appliance vendors have delivered
DKIM functionality that can be used in making receiver filtering decisions. I
would suggest that we don't know how many of their customers are using DKIM
with a local policy for high-value or certain highly-phished traffic. Consider
the use of mandatory TLS to protect messages in transit between specific
endpoints - something we know the financial and legal communities have adopted
with vigor and real savings, despite any weakness over other solutions. It
seems likely to me that something similar is happening with DKIM, though
getting the data to back it up would be difficult.
--Steve.
Steven M Jones
ET&D Desktop & Electronic Communications
Bank of America; Concord, California
Steven(_dot_)M(_dot_)Jones(_at_)BankOfAmerica(_dot_)com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html