Saturday, February 09, 2008

Herd mentality with email authentication

Chad White writes:

RetailEmail.Blogspot: Alert: DKIM adoption among online retailers is way past tipping point: "Craig Spiezle, chairman of AOTA and director of internet security and privacy at Microsoft, says, “AOTA is calling on all brand owners to implement domain-level authentication within the next six months.”

and Mr. White adds:

"I would echo that call to action. There are still far too many retailers that have not stepped up to protect themselves and their customers from cybercriminals by adopting both DKIM and Sender ID—including Ann Taylor, Barnes & Noble, Bed Bath & Beyond, Brookstone, Blue Nile, Circuit City, Costco, Crutchfield, Dell, EB Games, Home Depot, HSN, J. Crew, Office Depot, PetSmart, Sam’s Club, Sephora, Sony, Victoria’s Secret, Walgreens and Wal-Mart, among others."

Some of the retailer's listed are clients of where I work. I haven't pushed for DKIM adoption for a couple reasons:

1. for the most part, DKIM has 2 possible identifiers that reputation could be attached to
2. one of these identifies would cause much more work for domain owners with lots of brands
3. some ISPs have said they'd take an identifier and apply a function to it in which the end results would be multiple identifiers

In short, the DKIM spec doesn't state what the output is. That's OK if there is some supplemental spec that says what identifier should be used for reputation purposes. Currently, there isn't. Instead of following the herd and being part of some grand experiment in which method A is abandoned for method B but at the expense of hurting method A adopters, I'd rather wait for a 'Best Practices' document.