Did you ever wonder how many organizations out there are signing their mail with DKIM? Or how many organizations rely on SPF as a tool to validate their inbound mail?
Well, I’ve wondered as well. DKIM supposedly is getting more popular, but how widespread is it? Are lots of people using it, or is it used by only a few of the big organizations?
I decided to do a quick investigation using statistics that I have from the past 45 days. SPF is the technology that I understand best and is easiest for me to measure. Out of all of the mail that we deliver to end users (assume that 100% of it is non-spam), 38% of it passes an SPF check. So, approximately 2 out of every 5 messages that send us good mail is validated using SPF checks.
For DKIM, I don’t have a way of validating a DKIM signature since Microsoft does not yet support it. However, for the sake of argument I am going to assume that the existence of a DKIM header means that it is not spoofed; it is not advantageous to the spammer to spoof a DKIM header since it wouldn’t decrypt properly anyhow. My point is that I assume that the existence of the DKIM header means that someone legitimately attached it.
Using this gauge, 14% of messages that we mark as non-spam contains a DKIM signature. To put it another way, about 1 out of every 7 non-spam messages is signed with DKIM. That’s actually quite a bit, it takes a long time to put a new technology out there and get it adopted, especially one that is as complex as DKIM (complex compared to SPF for example).
But does a DKIM signature or an SPF check guarantee that a message is valid? The answer is no. I don’t know of anyone worth their salt in the antispam world that would assume that a message authenticated using either of those two technologies must therefore be valid. To give you hard numbers, 10% of messages passing an SPF check and 8% of messages with a DKIM header are subsequently marked as spam by our content filters. That’s around 90%. So, the probability that an authenticated technology is high, but it is no guarantee.
For interest’s sake, here is the SPF breakdown of mail that makes it past our IP blocklists (incidentally, the above is mail that makes it past our IP blocklists, too):
The numbers above are interesting. SPF Neutral and Hard Fails don’t really seem to have any influence one way or the other on whether or not a message is subsequently marked as spam as they closely align to our network wide statistics on spam. SPF None results don’t really have that great an affect on whether or not a message is marked as spam which suggests that there are a lot of small senders out there who do no authentication at all and are not spamming.
This can be interpreted in two ways: Either (1) there are lots of people out there who aren’t spamming despite doing no authentication, or (2) authentication hasn’t really caught on yet the way we in the email industry would like.