GMail starts enforcing DomainKeys for eBay and PayPal

In a sign that Domain Keys Identified Mail deployments have become reliable enough to depend on, Google has started to enforce DKIM signatures on eBay and PayPal.

Quick recap: DKIM is an anti-spam scheme intended to block forged of email messages and verify the sender by using digital signatures. The  short version is every large email service provider signs messages originating from their site and the recipients verify them. Strictly speaking this is purely an authentication technology, defined by an open IETF standard— nothing prevents spammers from also signing their message but there is an implicit assumption that somewhere a reputation system will spring into existence to allow vetting the verified identities and blacklisting the miscreants. Microsoft has backed a competing solution called SenderID.

Major challenge with deploying these solutions is dealing with the “gray area.” If a message is properly signed by eBay, it is clearly coming from eBay. (Leaving aside the fact that eBay may have been handing out email accounts to its own sellers and one or more of them are spammers.) That email can be safely accepted. If the message is signed but the signature does not validate, it can be rejected– although even then there are edge cases where innocuous message modifications can cause the signature to invalidate. By design cryptographic signatures are designed to be very brittle; any change to the message invalides them. Domain Keys had to work around this.  But what about unsigned messages? It could mean that eBay does not implement the DKIM standard at all. Or perhaps they have not gotten around to deploying DKIM on all the servers. A large service may have hundreds of server dedicated to handling outbound email and the conservative approach is doing a small-scale pilot project first. The final possibility is the message did not originate with eBay and is indeed a forgery, an attempt at phishing for example. It’s important to distinguish these cases because the accept/reject decision for the message will be different.

Strictly enforcing DK would mean that unsigned messages are rejected but that can not be done until there is good reason to believe that the service provider has committed to signing 100% of outbound traffic. In October 2007 eBay (and PayPal, which is owned by eBay) announced plans for adopting DKIM. But until both services could commit to signing all traffic, strict enforcement could mean legitimate messages getting dropped or sent to the junk folder and unhappy users.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s