Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

04 Jul 2009

Three myths about DKIM Email

The DKIM standard has been out for two years now, and we're starting to see some adoption by large mail systems, but there's still a lot of misunderstanding about what DKIM does and doesn't do.

A DKIM signature means a message isn't spam

Any a mail system can add a signatures to the messages it handles, and spammers can sign their mail, too. A DKIM signature contains, stripped down to its basics, the domain of the signer and a checksum of the message. If you get a message with a valid DKIM signature, all you know is that the the message you got was the same one that the signer signed, since the checksum validates, and that the domain's management authorized the signature, since there was a validation key in the domain's DNS. The value of DKIM comes when you have a stream of messages signed by the same domain. If a domain has earned a reputation for signing good messages, for any version of "good" you like, it's reasonable to expect subsequent signed messages to be good, too, and vice versa. The signature is only useful as a handle to recognize a message as part of a group of signed mail.

A DKIM signature means the header information is "real"

Nope, it just means that the message you got was the message they signed. Once again, signers can sign anything they want. Even if the signing domain is the same as the domain part of the From: address, sometimes called a "first party" signature, there's still no guarantee about the From: line other than that the one you see is the one they signed.

Some signing domains may make a policy of only signing mail where the From: address is verified, perhaps by knowing that the original sender logged in with credentials linked to that address, but signing policy is deliberately outside the scope of the DKIM spec.

DKIM doesn't work with mailing lists

There's two kinds of lists, announcement lists where all the mail is from one sender, and discussion lists where subscribers send in messages that are resent to all of the list members. In both cases, the sensible thing for the list manager to do is to sign the mail from the list.

The confusion arises from the possibility that mail sent to a discussion list could already have a DKIM signature applied by the original sender's system. In most cases, mailing list software makes enough changes to messages that the original DKIM signature won't validate any more. Common changes such as adding the list name to the subject line, or adding headers or footers to the mail, particularly if they're edited into the HTML code of formatted mail, would break any existing signature. A few old-fashioned list management programs (often used for technical discussion lists, and hence disproportionately popular among the members of the DKIM group) sometimes change messages so little that list recipients could still verify the incoming signature as well as the signature applied by the list, so a few people have claimed that this is how to tell if mail sent to the list is "forged", and that list software should all stop modifying messages so all signatures pass through.

This shows a fairly basic misunderstanding of what mailing lists do. As opposed to forwarders, which blindly forward incoming mail from one address to another and are just a transit point, a mailing list is really both a destination for mail submitted to the list, and the sender of list mail. During the 40 years that there have been e-mail discussion lists, list managers have developed a wide variety of mechanical and manual means to decide what submitted mail is passed through to the list, forged mail to mailing lists has never been a significant problem, and there's no reason to think that will change just because some of the mail has signatures.

People subscribe to mailing lists because they want mail from the list, and nobody I know does spam filtering on mail that they already know is from lists they've subscribed to. (We may filter out mail from chronic bozos, but that's not spam filtering, that's just looking for their addresses on the From: line.) DKIM can be useful to list managers using incoming signatures as one of the criteria to recognize mail from subscribers and help decide what gets passed through to the list. It's also useful to list recipients to help recognize mail from the list using the list's signature. Both ways, far from not working with lists, DKIM makes list management and use easier and more reliable.

  posted at: 21:17 :: permanent link to this entry :: 6 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
112 days ago

A keen grasp of the obvious
Italian Apple Cake
670 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed

© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.