I thought it might be useful to chime in here. My goal is simply to show where a commercial sender/receiver might see some value, with Daniel's APNIC presentation in mind. I'm not asserting that any of this applies to a regional ISP per se, but insofar as it applies to their customers they may wish to understand it.
If you want to use any of what follows outside of this mailing list, contact me before doing so. Bank of America has been using SPF and DKIM for more than a few years now. We have a rich mix of originators of message traffic using various domains and subdomains, located on both sides of traditional corporate boundaries, and targeting different internal and external recipients. We've gone to considerable effort to implement these techniques as widely as possible, and to educate and encourage other corporations to do so. We have done this because we believe that doing so will enable us to better protect our customers from fraud and abuse, with respect to our brands and relationships. Speaking about this publically may help others reach similar conclusions, which may help protect our customers from being compromised through other brands and relationships. So for us, this is a very real and practical matter. Early on, even without 100% coverage we were able to address certain issues around bad actors targeting our employees. We found that to be of great benefit, even though it wasn't why we started down this path. We see real value in DKIM for what we believe it gives us - a way for a receiver to tell whether or not a given message using one of our domains was sent by ourselves or one of our delegates. There are definitely cases where the technique breaks down, and there is also an added cost to our operations, but these factors have not changed our cost/benefit decisions. There hasn't been much press coverage lately about high-profile bilateral DKIM+SSA adoption, such as the Yahoo and eBay/PayPal arrangement. However in the past year or so several startups have appeared that seek to act as SSA clearinghouses or brokers. This approach certainly seems more practical than a proliferation of bilateral agreements, offering some kind of uniform mechanism while avoiding real/perceived limitations of ADSP - but you've got to have a handle on DKIM to participate. Also over the past several years a lot of MTA appliance vendors have delivered DKIM functionality that can be used in making receiver filtering decisions. I would suggest that we don't know how many of their customers are using DKIM with a local policy for high-value or certain highly-phished traffic. Consider the use of mandatory TLS to protect messages in transit between specific endpoints - something we know the financial and legal communities have adopted with vigor and real savings, despite any weakness over other solutions. It seems likely to me that something similar is happening with DKIM, though getting the data to back it up would be difficult. --Steve. Steven M Jones ET&D Desktop & Electronic Communications Bank of America; Concord, California [email protected] _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
