Why DKIM is Like IPv6
[[DKIM]] DomainKeys Identified Mail is an emerging IETF authentication standard that cryptographically signs outgoing email to verify the legitimate sender of the email. NetworkWorld writes about it here. Here are three reasons why DKIM will be as unsuccessful as IPv6 has been.
1. Both are complex.
DKIM requires every email server or service in an organization to have an email [[PKI]] certificate that is used to digitally sign every email sent. Email server software is readily available as open source projects and virtually every content management system or web server also performs email service functions. All of these implementations need to be discovered, certificated and managed.
IPv6 is complex. It requires the reset of every domain server, every IP device and especially every network security device – firewalls, session border controllers, virtual private network routers, intrusion prevention, intrusion detection and authentication device – needs to get and understand how to process IPv6 addresses and
2. Both are useless unless everybody adopts it.
So, your bank sends email that have been DKIM'ed. But your brother's cable company ISP doesn't. By the DKIM community's reckoning you should accept the bank's email but not your brothers. They say that the role of DKIM is to prevent the delivery of phishing emails pretending to be from your bank. But, the DKIM will also accept an email from a phisher masquerading as eBay but using the eBaj digital signature. So, in truth, all it does is tax email server administrators with a requirement to get a certificate.
Likewise, IPv6 is great but only if everybody uses it. IPv6 offers the capability to address security and mobility issues as well as available address space issues by making the need for NAT to go away. But, people understand NAT and like the QWERTY keyboard, the power of incumbency is pretty big.
3 . Both are disruptive to implement.
OK, so we agree to do DKIM and block emails from all senders that don't sign their email. Suddenly, business people in your company will be happy to tell you all the domains that don't have it. Important folks like, say CUSTOMERS. IT will be forced for compelling business reasons (see our materials on the most valuable emails that our survey participants have ever received) like we're losing business because of this email security feature! – to downgrade the service to accept all email (again).
Likewise, IPv6 requires accounting for every network device, every network service and as my friends at Great Bay Software have shown, not all devices are easily accountable, easily identifiable or easily upgraded to new services like addressing.
This post has already been read 0 times!