> > If you use it hopefully its less likely your messages will be marked
> > as SPAM. I doubt DKIM is any better at blocking SPAM. They both do
> > basically the same thing which is insure only authorized senders are
> > allowed to send messages for a given domain.
>
> At the USENIX 2007 meeting, some Sendmail folks held a BoF on use of
> DKIM. In that, one of the presenters stated (paraphrasing from memory)
> that some of the banks which have been targets of phishing attacks have
> been going to the large ISPs to persuade them to (a) turn on DKIM
> verification and (b) actively reject anything claiming to come from them
> (the banks) which fails DKIM verification.
>
> If this holds true, then it may be in practice that DKIM will be
> necessary for phishing targets and just spam-score for everyone else, to
> get mail through to big email providers, with manual lists of
> DKIM-required.
>
> In any case, turning on DKIM signing for outbound email for people with
> small servers (such as I'm now using, since I'm no longer an ISP
> postmaster) is a pretty definite win. Turning on DKIM verification has
> some DoS possibilities which some people are very concerned about,
> others less so.
>
> For myself, I DomainKeys-sign outbound and verify inbound. Further,
> later tonight (unless something intervenes) I'll try out the new Exim
> snapshot which supports dual-signing (DomainKeys + DKIM). The problem
> with DKIM before now has been transitioning in Exim, since you'd have to
> disable DomainKeys in DNS and wait for that change to expire from caches
> everywhere, before enabling DKIM. Being able to run both concurrently
> provides a protected transition mechanism.
>
> Myself, once I've transitioned to DKIM then I'll be inclined to put in a
> learning DB with a tool which scans Exim logs for senders who used DKIM,
> verifies that they're publishing DNS saying that they use DKIM
> (non-testing) and then updates the DB to add that domain, so that future
> mail from that domain will require use of DKIM. A learn-and-lock
> approach. Perhaps with the ability to notice disappearing DKIM DNS for
> those domains already in the DB.
One issue I have heard is that due to license issues you cannot
distribute Exim as a compiled RPM with domainkeys support. Something
about license issues with the Domainkeys library. Has this changed?
http://wiki.exim.org/DomainKeys
I use Directadmin which uses Exim. Directadmin has not added
Domainkeys support for this very reason from what I heard.
I would think SPF would stop alot phishing attacks as well. One thing
though is that usually the return email address is usually not that of
the bank anyway but rather something that sounds like it. I doubt
Domainkeys or SPF can solve that. Clamav does a pretty good job of
stopping phishing though.
Matt
