While DKIM and SPF are good idea's they both suffer from one basic problem. They are both opt-in systems. I'm not going to ramble on about the differences between DKIM and SPF but instead to go on about the problem of opt-in systems.
For those people who op-in and configure their email sending systems to use DKIM or SPF, all is well. Their outgoing email is signed or send from an 'officially' 'authorised' system. A recipient of the email, if they chose to check can be reasonably sure that the email was sent by the person claiming to have sent it.
The problem is all the other email sent from people that did not opt-in. I don't think that most legitimate or illegitimate email senders will opt-in. As a result, most inboxes will be full of email that has no DKIM or SPF data and a few emails that do so.
The problem of sorting the ham from the spam will continue. A little ham will be marked as such but that's all. Hardly a cure all for spam.
What's to be done?
Firstly, what do people want? Is spam a problem for end users?
The presence of spam has not stopped the uptake of email services. Email is very popular in spite of all the spam. This report (PDF) suggests spam is not a great issue for most US email users. People do get caught out which phising scams and the like but overall, people are not clamouring at the gates for change.
Other people certainly do take offence to spam. Often they're the people providing the email service. An awful lot of equipment, time and money is spent handling and providing the world's email service and if 90% of the email is spam that's a lot of wasted time, money and energy.
I know spam annoys me but that's not stopped me using email since 1991.
Does this mean spam is a plot by the email service providers? I don't think so. Without spam they could offer the same email service for less money or make more profit!
Taking action to stop spam is going to be a thankless task unless it's successful. A little bit of spam reduction is not going to be noticed by most email users.
To make DKIM and SPF useful, the need to be effectively mandatory. If they are effectively mandatory then it will be possible to use them to differentiate between ham and spam. Spammers who did not use DKIM or SPF would have their email marked as spam. Spammers who did use DKIM or SPF would have to be identified and the DKIM/SPF data marked as a source of spam; perhaps in a similar way in which the RBL system currently works.
So, in a world where DKIM/SPF type systems are effectively mandatory there would be three classes of email:
You've probably spotted by now that I've said nothing about how to make the use of DKIM or SPF effectively mandatory. That's because it's the hard part of the entire problem!
We can invent any number of DKIM or SPF tpye systems but unless they're widely adopted they are not much use.
To get DKIM or SPF type systems widely adopted will require some political (i.e not technical) effort and agreement. I just hope it does not involve and politicians!
Here's a thought...
Suppose the big web mail providing corporations agree to do a few things:
So far, so good and frankly given the talents of Google, Microsoft, Yahoo, AOL, etc. not so hard.
Once that's in place, don't you think that the big corporations, governments and the like will want their email to be classed as good? They'll feel some (hopefully enough) pressure to use DKIM or SPF so that for their web mail using clients at least, their email will be marked as good. Commercial pressure will cause smaller organisations to follow.
The providers/suppliers of desktop email clients (Microsoft, Apple, Novell etc.) would follow suite as people go used to having their email properly classified.
Hopefully, this would give DKIM/SPF enough momentum to become effectively mandatory...
For those people who op-in and configure their email sending systems to use DKIM or SPF, all is well. Their outgoing email is signed or send from an 'officially' 'authorised' system. A recipient of the email, if they chose to check can be reasonably sure that the email was sent by the person claiming to have sent it.
The problem is all the other email sent from people that did not opt-in. I don't think that most legitimate or illegitimate email senders will opt-in. As a result, most inboxes will be full of email that has no DKIM or SPF data and a few emails that do so.
The problem of sorting the ham from the spam will continue. A little ham will be marked as such but that's all. Hardly a cure all for spam.
What's to be done?
Firstly, what do people want? Is spam a problem for end users?
The presence of spam has not stopped the uptake of email services. Email is very popular in spite of all the spam. This report (PDF) suggests spam is not a great issue for most US email users. People do get caught out which phising scams and the like but overall, people are not clamouring at the gates for change.
Other people certainly do take offence to spam. Often they're the people providing the email service. An awful lot of equipment, time and money is spent handling and providing the world's email service and if 90% of the email is spam that's a lot of wasted time, money and energy.
I know spam annoys me but that's not stopped me using email since 1991.
Does this mean spam is a plot by the email service providers? I don't think so. Without spam they could offer the same email service for less money or make more profit!
Taking action to stop spam is going to be a thankless task unless it's successful. A little bit of spam reduction is not going to be noticed by most email users.
To make DKIM and SPF useful, the need to be effectively mandatory. If they are effectively mandatory then it will be possible to use them to differentiate between ham and spam. Spammers who did not use DKIM or SPF would have their email marked as spam. Spammers who did use DKIM or SPF would have to be identified and the DKIM/SPF data marked as a source of spam; perhaps in a similar way in which the RBL system currently works.
So, in a world where DKIM/SPF type systems are effectively mandatory there would be three classes of email:
- email from normal DKIM/SPF senders
- email from 'revoked' (K-I-L-L-E-D) 'revoked' DKIM/SPF senders
- email from non- DKIM/SPF senders
You've probably spotted by now that I've said nothing about how to make the use of DKIM or SPF effectively mandatory. That's because it's the hard part of the entire problem!
We can invent any number of DKIM or SPF tpye systems but unless they're widely adopted they are not much use.
To get DKIM or SPF type systems widely adopted will require some political (i.e not technical) effort and agreement. I just hope it does not involve and politicians!
Here's a thought...
Suppose the big web mail providing corporations agree to do a few things:
- send outgoing emails with DKIM and or SPF - they control the sending domains and could 'just turn this on' - Google and Yahoo already do this
- class incoming emails by DKIM and or SPF and their validity - they control the email client and could 'just turn this on' - I don't think anyone does this
- good (DKIM/SPF checks out)
- normal email (no DKIM/SPF data)
- bad (DKIM/SPF has been revoked)
So far, so good and frankly given the talents of Google, Microsoft, Yahoo, AOL, etc. not so hard.
Once that's in place, don't you think that the big corporations, governments and the like will want their email to be classed as good? They'll feel some (hopefully enough) pressure to use DKIM or SPF so that for their web mail using clients at least, their email will be marked as good. Commercial pressure will cause smaller organisations to follow.
The providers/suppliers of desktop email clients (Microsoft, Apple, Novell etc.) would follow suite as people go used to having their email properly classified.
Hopefully, this would give DKIM/SPF enough momentum to become effectively mandatory...
Comments
Post a Comment