Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

12 Aug 2006

Making DKIM More Useful with Domain Assurance Email

The IETF DKIM working group has been making considerable progress, and now has a close-to-final draft. DKIM will let domains sign their mail so if you get a messge from, the mail system can sign it so you can be sure it really truly is from But unless you already happen to be familiar with, this doesn't give you any help deciding whether you want the message. This is where the new Domain Assurance Council (DAC) comes in.

DAC is a smallish trade association that Paul Hoffman and I recently started. Its goal is to define consistent ways for people to do certification and reputation based on DKIM. Certification lets a trusted third party publish a list of senders they vouch for. If you have that message from, you can check with your favorite certification service to see if is on their list of known good guys, and if so, skip the spam filters and deliver the mail. The technology to check whether a domain is on a certification service's list is not complicated; on the contrary it is so easy that if you asked 10 programmers how to do it, you would get ten similar but not quite compatible approaches. DAC has mostly spec'ed out a simple way to do the check. (It's available to anyone for free. All our specs will be.) The goal is to get everyone to check the same way, so each mail program needs only to be upgraded once to support DKIM certification, and if you decide you want to change whose list you check, you need only change a configuration setting or two.

At the moment, the only people doing certification are general purpose mail certification services. (Several of them are already DAC members.) Down the road we also expect to see a lot of industry specific certifiers. For example, the FDIC or ABA might certify mail from their member banks, since they already know who the banks are. Other trade associations or regulators might similarly certify their members or regulatees.

The next step after certification will be reputation. The difference is that certification is basically one bit saying "they're OK", while reputation is more like a credit score that gives the reputation service's opinion of a sender, or a credit report with a collection of positive and negative data from which recipients can draw their own conclusions. Reputation is harder to do than certification, since a reputation report might contain anything from a single numeric score to an entire dossier of data of different types.

If you want to see how our certification system, currently called Vouch by Reference (VBR), works drop by our web site and take a look.

posted at: 01:30 :: permanent link to this entry :: 0 comments
posted at: 01:30 :: permanent link to this entry :: 0 comments

comments...        (Jump to the end to add your own comment)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Dave Piscitello on Ransomware
53 days ago

A keen grasp of the obvious
My high security debit card
599 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.