Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Some stats and figures on DKIM and SPF

Some stats and figures on DKIM and SPF

  • Comments 5

Did you ever wonder how many organizations out there are signing their mail with DKIM?  Or how many organizations rely on SPF as a tool to validate their inbound mail?

Well, I’ve wondered as well.  DKIM supposedly is getting more popular, but how widespread is it?  Are lots of people using it, or is it used by only a few of the big organizations?

I decided to do a quick investigation using statistics that I have from the past 45 days.  SPF is the technology that I understand best and is easiest for me to measure.  Out of all of the mail that we deliver to end users (assume that 100% of it is non-spam), 38% of it passes an SPF check.  So, approximately 2 out of every 5 messages that send us good mail is validated using SPF checks.

For DKIM, I don’t have a way of validating a DKIM signature since Microsoft does not yet support it.  However, for the sake of argument I am going to assume that the existence of a DKIM header means that it is not spoofed; it is not advantageous to the spammer to spoof a DKIM header since it wouldn’t decrypt properly anyhow.  My point is that I assume that the existence of the DKIM header means that someone legitimately attached it.

Using this gauge, 14% of messages that we mark as non-spam contains a DKIM signature.  To put it another way, about 1 out of every 7 non-spam messages is signed with DKIM.  That’s actually quite a bit, it takes a long time to put a new technology out there and get it adopted, especially one that is as complex as DKIM (complex compared to SPF for example).

But does a DKIM signature or an SPF check guarantee that a message is valid?  The answer is no.  I don’t know of anyone worth their salt in the antispam world that would assume that a message authenticated using either of those two technologies must therefore be valid.  To give you hard numbers, 10% of messages passing an SPF check and 8% of messages with a DKIM header are subsequently marked as spam by our content filters.  That’s around 90%.  So, the probability that an authenticated technology is high, but it is no guarantee.

For interest’s sake, here is the SPF breakdown of mail that makes it past our IP blocklists (incidentally, the above is mail that makes it past our IP blocklists, too):

image

The numbers above are interesting.  SPF Neutral and Hard Fails don’t really seem to have any influence one way or the other on whether or not a message is subsequently marked as spam as they closely align to our network wide statistics on spam.  SPF None results don’t really have that great an affect on whether or not a message is marked as spam which suggests that there are a lot of small senders out there who do no authentication at all and are not spamming.

This can be interpreted in two ways: Either (1) there are lots of people out there who aren’t spamming despite doing no authentication, or (2) authentication hasn’t really caught on yet the way we in the email industry would like.

Leave a Comment
  • Please add 6 and 2 and type the answer here:
  • Post
  • "... guarantee that a message is valid?  The answer is no."

    You are wrong.

    First of all, neither of these methods address the actual content of the messages they protect, so if you equate "valid" to "non-spam", you're just another idiot with a blog.  What SPF and DK do is verify that the sender is who he claims to be; NOTHING MORE.

    All it means is that if you are spammed, you can be certain of the origin of the spam as an authorized sender.  It does nothing to protect you from receiving spam, viruses, or other malicious content.  It simply means that you can determine, within limits, where the message came from, so when you report the spammer to whatever databases you participate in, you are reporting accurate information.

    Although much spam is also forged, all SPF and DK address is the forgery status.  There can be non-spammy forged messages, and non-forged spam.  spaminess and source authenticity are orthogonal characteristics:  One has no bearing on the other.

  • Where SPF or DKIM would seem to be the most useful would be for authenticating known-good senders such as customers' banks and treating them preferentially.

    Authentication by itself doesn't bear on the spammyness or wantedness of a given message, but provides some means to tie a sender to an identity as opposed to random bot senders or unauthenticated senders whose identity is uncertain or not obviously tied to IPs or sending domains.  Good or bad reputation can be assigned to a known identity.  Assigning reputation to an unknown identity is more challenging.

    BTW Stussy, inaccurate ad hominem attacks on Terry won't win you any points here.  They're a great way to get people to discount or ignore your message.

  • One other great advantage of SPF is that I can give other email admins permission to delete or block email using my domain but originating from unauthorized servers.  It matters less to me how many people publish SPF records than how many people honor them.  My SPF record is designed to protect my domains reputation and lessen backscatter and joe-jobs directed at my servers or users.

  • Years ago, I used to be skeptical of SPF. Until one day one of my vanity domains got hit by a flood of spams bouncing to forged addresses, in a massive dictionary-attack kind of way. Thanks to SPF's simplicity, I was able to get it set-up within a few minutes. I also installed ASSP (anti-spam proxy) with some aggressive settings which effectively helped funnel the back-scatter to admins not honoring SPF Records.

    Within a few days, the bounces slowed to a trickle. Now I have not received a bounce to a forged address in several MONTHS, maybe even one or two years.

    People who criticize SPF just have too narrow a view of the world, and are too attached to useless relics such as the "transparent" forwarding of messages.

  • @D. Stussy

    Nice job trying to make it seem like you know what you're talking about. Tzink is in the email spam business at Microsoft, so he has far more credentials and respect than you ever will. Run back to your micro-blog obsession and vent your anger.

Page 1 of 1 (5 items)