From: Theo Schlossnagle
Sent: Monday, October 04, 2004 7:36 AM
<...>
Regression analysis shows that implementing DomainKeys at even the
largest ISPs will require little additional equipment. For the common
case (under one million messages/day) DomainKeys doesn't even show up
on the profiling chart.
While this is true for a MTA that does nothing but transfer messages, most
MTA's have to do a lot more than that. Signing and validating RSA
signatures is an expensive matter. The Sendmail demonstration with
Domainkeys http://sendmail.net/dk-milter/benchmark/ shows that the
throughput with small messages, like most spam, was reduced to about half.
This says that for small messages, the overhead of Domainkeys is
approximately the same as the entire email transaction without Domainkeys.
As authentication schemes become adopted, spammers will be more or less
forced to send properly signed messages from throw-away domains. We can
hope for better/faster/smarter blacklisting systems, but unfortunately,
authentication will not reduce the need for virus and content filters.
These loads will still be present on the MTA. Doing an expensive RSA
signature validation prior to rejecting a message with a content filter is
an additional load that is significant. If we were really substituting one
load for another, that would be a different story. As long as we have to
continue to run virus and content filters, which I don't see ending any time
soon, authentication needs to be as lightweight as possible. PK schemes may
be a reasonable load for legitimate senders, but they place an unreasonable
load on recipients, who's incoming mail stream consists mostly of short,
unwanted messages.
--
Seth Goodman