Paul,
Thank you for sharing what you have. Comments/questions inline.
Mike
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Paul Midgen
Sent: Wednesday, April 27, 2011 1:21 PM
To: Scott Kitterman; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] ADSP stats
I wanted to address Hotmail's use of ADSP, clarify our position on the
issue of authentication policy, and share a few bits of information
the
list may find interesting.
Hotmail's use of DKIM+ADSP should not be interpreted as a political
statement; we implemented DKIM to offset the impact of well-known SPF
false-failure scenarios. We viewed DKIM+ADSP as a package deal and a
first step to fully integrating authentication policy controls into
our
delivery pipeline.
In fact, we're still experimenting with the two standards in a phased
rollout. For purely operational reasons the initial phase restricted
DKIM validation to messages failing SPF, and we further restricted
signature selection to author domain signatures.
SPF fails for ~1.5% of our inbound traffic, so that's the percentage
of
mail for which we currently run DKIM. The next phase of our DKIM
project begins soon and will expand DKIM's "scope" to all non-passing
SPF results, or ~49% of total inbound volume.
We check ADSP every time we run DKIM and see the following policy
distribution:
97.98% "unknown" (including domains not explicitly publishing policy)
2% "discardable"
0.02% "all"
The 2% "discardable" is interesting. Is that percentage of volume or
percentage of domains evaluated? Also, is there anything noticeable
about the domains publishing such as a heavy preponderance of domains
belonging to financial organizations?
We'll continue to evaluate ADSP's utility as we increase the DKIM
validation rate, though our research suggests the current policy
distribution won't profoundly change.
Moving forward, we fully support the creation of a mechanism for
deterministic authentication-based sender-published message
disposition
policy as well as the feedback loop(s) necessary to help senders
overcome their reluctance to deploy aggressive policies.
We (AGI) have been waiting for the ability to deploy aggressive policy
statements in a meaningful way and are supportive of efforts to move
this forward. Unfortunately ADSP as it stands is too limited from our
perspective.
While we believe our authentication policy controls will initially
consume policy from intermediaries, we've designed them to use DNS-
based policy should a broadly-acceptable standard emerge. We're taking
the long view and betting that such a standard is possible, and are
looking forward to being part of creating it.
+1
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html