The Email Delivery Guru

I'm active in a lot of the different email industry groups, and on a number of those lists, the hot topic lately is DKIM – DomainKeys Identified Mail.

What is DKIM? Wikipedia explains that DKIM “is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from.”

A lot of the ongoing discussion surrounding DKIM relates to what people want from the specification. Senders (ESPs, big brands) and receivers (ISPs, spam filtering device manufacturers, and MTA (mail transfer agent – i.e. “mail server software”) publishers seem to want different things from the spec.

Anything I tell you about my desires for the specification are certain to be tinted by my own biases. As is the case with anyone. But, allow me to be up front about those biases. I'm a representative of a sender, email service provider ExactTarget. But I also have a strong history in the realm of blacklists, having created more than one of them myself, and having worked with various ISPs over the years to help them filter out spam.

So what do I want out of DKIM? I want two things out of DKIM, or out of email authentication in general:

Enable better whitelisting. Prove that mail from domain.com really came from domain.com, and then a receiving site has the ability to better develop statistics specific to those messages. Maybe IP address reputation doesn't go away, but if an ISP can see that very few messages sent from a domain generate complaints, I suspect the smarter ISPs are going to be more likely to allow that mail through, regardless of its source IP address. (The flip side of this is that if I'm a bad sender, it becomes harder to sidestep a bad reputation by changing IP addresses. This I believe to be a feature, not a bug.)

Enable better blacklisting. Is there a better way to promote message security? Block, or more heavily filter, unsigned mail, especially if it comes from a domain where you've recognized that other messages sent are being signed properly. This is controversial, and it's hard to say if it would ever come to be. But this is about what I want, and this is what I want. I want, when signing up for an ISP feedback loop, or registering with a spam filterer or MTA vendor, to be able to tell them that all of my mail is signed, and that you can feel free to discard or reject unsigned mail.

Pros: Stops a lot of phishing in its tracks. Helps recipients to understand that if the from domain is “ebay.com”, the message really did come from eBay.

Cons: Doesn't stop “lookalike domain” attacks. (What if the message came from ebay7.com?) Some technology experts really hate the idea of using DKIM in this way, because they feel that a system issue would cause a legitimate message to be nuked. I think the risk here is lower than others represent, and I also think that some of the folks making this case, while I respect them, they do not run abuse desks at large ISPs. I find it hard to believe that ISPs would never consider this.

Making things better for those who send mail isn't my only consideration. Making things easier for those who block or filter mail is also very important to me. If I ran a spam filter, how would I want things to work? That's part of where I'm coming from here. How does DKIM, or authentication in general, fit into a spam filtering strategy?

So what do YOU want out of DKIM, or out of email authentication in general? Comments and feedback welcome. (Please keep it gentle – I won't approve any comments with insults.)