Microsoft tests DKIM and ADSP

Posted by J.D. Falk 

Paul Midgen, an engineer at Microsoft, recently shared some of the thinking behind Hotmail’s adoption of DKIM and ADSP with the IETF working group responsible for finalizing DKIM and related standards.

Primarily, he explained, “we implemented DKIM to offset the impact of well-known SPF false-failure scenarios.” So when an SPF/SenderID check fails — about 1.5% of their inbound traffic — they’ll look at DKIM also. If the SPF or SenderID check succeeds, they won’t.

Like SenderID, Microsoft’s DKIM implementation is further restricted to when the author domain (the domain in the email address in the From: header) matches the signing domain (the d= string in the signature.) So in effect, this is an ADSP-only version of DKIM.

(We’ve discussed ADSP in detail here and here.)

Even within those boundaries, ADSP is rare. Only 2% of their inbound mail is from domains that publish a “discardable” policy, and 0.02% publish “all”; the rest are either explicitly “unknown” or have no ADSP record at all.

Paul insists that “Hotmail’s use of DKIM+ADSP should not be interpreted as a political statement”, and that they’re “still experimenting with the two standards”.

For the next phase of the experiment, Microsoft plans to start verifying DKIM signatures for “all non-passing SPF results, or ~49% of total inbound volume.”

Author Image

About J.D. Falk

Author Archive