Kurt Roeckx's journal

DKIM: Useful?
2nd November 2008

I've been looking at DomainKeys Identified Mail (DKIM) to see if it's useful. My main interest is reducing bounced mail that I didn't send and other people receiving less spam that appears to come from me. It seems there isn't a lot of documentation about it around, and I had to go and read some of the RFCs and drafts to understand things. So I hope this is useful for someone.

According to the wikipedia article it can be used to verify that the message comes from the domain that it claims to have come from. On the other hand the DKIM FAQ says it's all about the reputation of the organization the messages passed by. There is a project that creates a reputation database that then can be used in anti-spam software like spamassassin.

So I at first sight this didn't look useful at all to me. It basically seems like a way to verify the Received lines in the message header. And it seems that that is what most of the software is doing. But there also seems to be an Author Domain Signing Practices (ADSP). It allows you to say that if the message isn't signed it can be dropped because it's spam. There is nothing else in DKIM other than reputation on which you can base that something might be spam or not.

So I started looking in software that supported that. It seems that dkim-milter is the only software available in Debian that implements it. But it seems to be using the _asp._domainkey DNS entry from an old draft instead of the _adsp._domainkey as used in latest draft. Older drafts even used _ssp._domainkey.

So it seems to me that it's not useful yet and I'll wait until the ADSP RFC is actually published and there is software available that supports it.

It seems that dkim-milter from version 2.7.0 now uses _adsp._domainkey, but we currently only have 2.6.0 in Debian. But the wizard of sendmail.org still generates the _asp._domainkey. I've filed enhancement requests for spamassassin and dkimproxy / Mail::DKIM.

Contact: Kurt Roeckx <kurt@roeckx.be>