Solucija - Is it bad to only sign some of a domain's emails with DKIM?

Is it bad to only sign some of a domain's emails with DKIM?

Is it OK if I sign a subset of domain emails, or is this an all-or-nothing game? We use Amazon's Simple-Email-Service for sending e-commerce emails. We would like to sign these with http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail. This same domain is also used for all email addresses for the corporation behind this e-commerce operation. Due to some IT constraints, it does not look like we'll be able to sign the employee emails for many months to come. Do spam protection servers look at the domain and see a DKIM public key and say, "OK, all emails must be signed", or do they look email-by-email and, if a signature is found, then they go looking for the public key?
Answer:

DKIM doesn't tell you anything about whether a message is spam or not (although it's a bit more work to set up, there's plenty of spam that is signed with a valid DKIM signature). DKIM is all about identity - do I know that this message is from the specified sender (and that it hasn't been altered in any meaningful way)? No good anti-spam service will reject a message solely based on a lack of a DKIM signature. If there is an invalid signature, then that's something to consider (i.e. maybe this is phishing); however, it's risky to reject in this case (because signatures can get broken in transit), and most anti-spam filters will not do that (at least by default). The use of DKIM (without anything else) is to allow the mail client to indicate to the user that the message sender is verified (much as browsers indicate to the user that traffic is sent over SSL, or that a certificate is trusted). So, the simple answer is yes, it is useful to sign messages, even if you cannot sign them all. You can't tell your users that they should only trust messages that are signed, but they can at least trust some of them. (Unfortunately, not a lot of mail clients yet expose this information, and users aren't yet trained to look for it, so the benefits aren't large - yet). The simple answer to the second question is no, any decent spam filter will ignore the lack of a DKIM signature. Further to this, there are two ways you can extend your use of DKIM, that do have an impact when only some messages are signed. http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices (ADSP) is an optional extension to DKIM where you specify what should happen to unsigned messages. Specifically, you can select from three choices: unknown (this the behaviour you get if you don't use ADSP) - the domain signs some or all mail (or none, I suppose, although it would be then odd to have the record set up) all - the domain signs all mail. The recipient (or their anti-spam filter) gets to choose what to do with messages that don't have a valid signature; commonly these would be put into some sort of quarantine or flagged in some way so that the user is aware that they are probably fraudulent. discardable - the domain signs all mail, and is instructing the recipient (or their anti-spam filter) to silently discard any messages that don't have a valid signature. This is the same as "all", except that the sender, rather than the recipient, makes the decision about what to do with messages without a valid signature. Anti-spam (or anti-phishing, in this case) filters don't have to obey an ADSP instruction, but they are likely to. So right now, you should either ensure that you don't have an ADSP record, or that if you do it is set to "unknown". Once you are able to sign all messages, you could move to "all" or "discardable", depending on what behaviour you would like. Similar (but newer) to ADSP is http://www.dmarc.org/specification.html (DMARC). DMARC incorporates policies for both SPF failures and DKIM failures, and incorporates information about providing feedback (to the supposed sender domain) about failures. You've got basically the same choices as with ADSP, but more flexibility about how to work. The example the specification provides as to how you'd start using DKIM/SPF is roughly this: Deploy DKIM and SPF. Publish a DMARC policy of "none" with a feedback reporting address (this is like ADSP's "unknown", except that you also state that you want feedback about failures, so if they are really from you, you can figure out how to fix the problem). Tune your DKIM/SPF use until the feedback reports indicate that all your mail is appropriately authenticated. Increase the DMARC policy strength to "quarantine" for a small percentage (this instructs the receiver to quarantine any messages that don't meet the policy, but only for a randomly selected percentage of mail). Gradually increase the percentage (to 100%) as you get more confident that all mail is appropriately authenticated. Set a DMARC policy of "reject" (again with a small percentage to start with, building over time to 100%), so that rather than quarantining, messages that don't meet the policy are simply rejected. DMARC is new, so only a few anti-spam filters are using it at present, but that will (probably) increase over time, and there's little cost in adopting it now. If you choose to use DMARC, then right now you could get to step 2, and then continue through the steps as you manage to get all mail signed.

George W Bush at Information Security Visit the source

Was this solution helpful to you?

Other answers

I don't think there's a definite answer to this question. There are so many spam filters and they all work differently, so it's hard to predict how they would treat this condition. My gut feeling is that you're definitely increasing the chances of your corporate mail getting blocked if your DNS indicates that it supports DKIM, yet the message does not bear any DKIM signatures. For example, http://gmailblog.blogspot.de/2008/07/fighting-phishing-with-ebay-and-paypal.html. This is however a rather specific case, and I can't imagine that Google can apply this to any domain, given that not all domains can guarantee all emails are DKIM signed. http://www.faqs.org/rfcs/rfc4870.html states that the signing domain (you) can specify an Outbound Signing Policy for your emails via DNS, specifically: o = Outbound Signing policy ("-" means that this domain signs all email; "~" is the default and means that this domain may sign some email with DomainKeys). So in theory, spam filters should honour this, if you specify that not all emails are signed. However, this RFC has been superseded by http://www.faqs.org/rfcs/rfc4871.html - in which I couldn't find a similar section... I think this just illustrates how vague the situation might be, and how one spam filter might decide to take completely different actions from another...

Yoav Aner

Related Q & A:

What Is A Domain?Best solution by Yahoo! Answers
How to disable HTTPS for a domain that shares IP with another domain that is under HTTPS?Best solution by Server Fault
How Do You Buy A Domain Name Outright?Best solution by Yahoo! Answers
I read my boss's emails.Best solution by Yahoo! Answers
Cannot access hotmail's emails?Best solution by Yahoo! Answers

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.