Gmail's receiving mostly authenticated email
Saw an interesting article from Gmail on their inbound email statistics. Over 91% is authenticated with either DKIM or SPF. 75% is both, the rest is one or the other. That doesn't indicate how much is encrypted, but anything that has the framework to do that authentication could fetch a key as well. (Doesn't stop the feds from collecting the mail after Gmail receives it, of course, but it's an indication of how much email could relatively easily add some encryption to reduce in-transit eavesdropping.)
At 09:56 PM 12/14/2013, Peter Gutmann wrote:
Bill Stewart <bill.stewart@pobox.com> writes:
Saw an interesting article from Gmail on their inbound email statistics. Over 91% is authenticated with either DKIM or SPF.
What percentage of that is using 512-bit keys?
They didn't say. (And the threat model for spam protection probably doesn't include spammers cracking RSA keys, so 512-bit would be perfectly adequate, but I'd hope people were using 1024.)
Am 15.12.2013 06:56, schrieb Peter Gutmann:
Bill Stewart <bill.stewart@pobox.com> writes:
Saw an interesting article from Gmail on their inbound email statistics. Over 91% is authenticated with either DKIM or SPF.
What percentage of that is using 512-bit keys?
According to [1], Google is treating mails signed with keys <1024bit keys as unsigned. felix [1] https://support.google.com/mail/answer/180707?hl=en
On Dec 14, 2013, at 9:56 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
Bill Stewart <bill.stewart@pobox.com> writes:
Saw an interesting article from Gmail on their inbound email statistics. Over 91% is authenticated with either DKIM or SPF.
What percentage of that is using 512-bit keys?
Zero. DKIM requires at least a 1024-bit key. Whatever you might want to say about those is a different discussion. SPF is non-cryptographic authentication. Jon
I saw that article too, and thought it was interesting, but I noticed something odd in their statistics: """ 91.4% of ***NON-SPAM*** emails sent to Gmail users come from authenticated senders, which helps Gmail filter billions of impersonating email messages a year from entering our users’ inboxes. More specifically, the 91.4% of the authenticated ***NON-SPAM*** emails sent to Gmail users come from senders that have adopted one or more of the following email authentication standards: DKIM (DomainKey Identified Email) or SPF (Sender Policy Framework). """ (emphasis mine) http://googleonlinesecurity.blogspot.com/2013/12/internet-wide-efforts-to-fi... So first Google runs their pretty-good-but-not-perfect spam filtering, then they look at what they're categorized as non-spam to generate those statistics. The ham (not spam) emails that are miscategorized are much more likely to be omitting SPF/DKIM, so there's a bit of selection bias occurring. Also, for what it's worth, SPF isn't related to crypto at all, and is ridiculously easy to set up for 'normal' domain admins. (That is, domain admins with a couple well-known SMTP servers, and not some crazy distributed architecture.) There's a great calculator online for it here: https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard... There's some tricky questions people may not know the answer to, but omitting answers will only create a more _permissive_ policy, rather than run the risk of borking your email. -tom
participants (5)
-
Bill Stewart -
Felix Eckhofer -
Jon Callas -
Peter Gutmann -
Tom Ritter