I wanted to address Hotmail's use of ADSP, clarify our position on the issue of
authentication policy, and share a few bits of information the list may find
interesting.
Hotmail's use of DKIM+ADSP should not be interpreted as a political statement;
we implemented DKIM to offset the impact of well-known SPF false-failure
scenarios. We viewed DKIM+ADSP as a package deal and a first step to fully
integrating authentication policy controls into our delivery pipeline.
In fact, we're still experimenting with the two standards in a phased rollout.
For purely operational reasons the initial phase restricted DKIM validation to
messages failing SPF, and we further restricted signature selection to author
domain signatures.
SPF fails for ~1.5% of our inbound traffic, so that's the percentage of mail
for which we currently run DKIM. The next phase of our DKIM project begins soon
and will expand DKIM's "scope" to all non-passing SPF results, or ~49% of total
inbound volume.
We check ADSP every time we run DKIM and see the following policy distribution:
97.98% "unknown" (including domains not explicitly publishing policy)
2% "discardable"
0.02% "all"
We'll continue to evaluate ADSP's utility as we increase the DKIM validation
rate, though our research suggests the current policy distribution won't
profoundly change.
Moving forward, we fully support the creation of a mechanism for deterministic
authentication-based sender-published message disposition policy as well as the
feedback loop(s) necessary to help senders overcome their reluctance to deploy
aggressive policies.
While we believe our authentication policy controls will initially consume
policy from intermediaries, we've designed them to use DNS-based policy should
a broadly-acceptable standard emerge. We're taking the long view and betting
that such a standard is possible, and are looking forward to being part of
creating it.
-p
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Scott Kitterman
Sent: Wednesday, April 20, 2011 5:51 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] ADSP stats
On Wednesday, April 20, 2011 08:01:21 PM John R. Levine wrote:
A much better test would be compile a list of DKIM signing domains,
and do the ADSP query on them.
That's what I did. The only ADSP I see this year is Paypal.
That's a success story of a sort. We know that ADSP is only potentially useful
in a narrow set of circumstances. Data that indicates the protocol isn't being
widely deployed for domains for which is not suited is good news.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html