At the end of last year, Steve wrote a post about the different types of authentication. I thought I’d build on that and write about the costs associated with each type. While I know a lot of my readers are actually on the sending side, I’m also going to talk about the costs associated with the receiving side and a little bit about the costs for intermediaries such as CRM systems or ESPs.
SPF
Overall, SPF is a cheap technology to deploy for almost everyone. The type of authentication is prone to breakage from standard email processing, including forwarding.
Sending
SPF is very cheap to implement for senders. A couple hours, tops, for someone to identify what domains are used in the 5321.from address, what IPs they send from and to write a SPF record to cover them. The cost of maintaining SPF is minimal, with records only needing to be revisited when servers and domains change.
Receiving
For receivers, there’s a little more cost involved in deployement but still reasonably cheap. The receiving system has to add code to do a DNS TXT lookup on the domain in the 5321.from and compare that to the IP address sending the mail. They then have to implement a decision pathway and email handling. But, overall, it’s not that expensive to do. The cost of maintaining this is minimal.
SPF requires at least one, sometimes more, DNS lookups incurring a small cost in computing resources.
Intermediary
In this case, the intermediaries may have the most expensive deployment process. Even then, the expense is mostly in documentation and publishing ranges for their customers to use. The cost of maintaining SPF is minimal.
DKIM
The cost of deployment for DKIM increases over that of SPF although for most groups it’s not that much more. At the same time it provides a less fragile authentication than SPF.
Sending
Whether a sender runs their own MTA or is using a 3rd party deployment costs are pretty similar. The sender needs to generate a public/private key pair, install the private key on the sending server and publish the public key in DNS. The cost to doing this is low for senders using a MTA that understands DKIM.
For senders needing to upgrade their MTA, the cost is more, but really, DKIM has been around for more than a decade, it’s probably time to upgrade anyway. If a sender rotates their keys regularly (a recommended best practice (RFC5863, DMARC working group, MAAWG) this does incur a small cost.
DKIM requires a cryptographic hash to be computed for each email sent, which does incur a small cost in computing resources.
Receiving
The cost to a receiver to deploy DKIM checking is similar to that of deploying SPF checking. There needs to be a way to check a DKIM signature at, or close to, the time of delivery. Then they need to have a clear idea of what happens when a signature passes or when it fails.
DKIM requires a DNS lookup for the public key and a cryptographic hash to be computed for each email received, incurring a small cost in computing resources.
Intermediaries
As with SPF, intermediaries may actually have the most expensive deployment costs. They have all the same costs as a regular sender implementing signing including enabling DKIM signing, generating keys and publishing DNS records.
In addition to these costs, many intermediaries are expected to allow their own customers to sign with custom d= domains. This means creating processes for accepting private keys from customers, enabling signing with many different domains (and ensuring that the right key signs for the right customer), and having the ability to sign with their own domain as well. Furthermore, they need to have documentation and support for customers who want to do this.
Ongoing costs are minimal.
DMARC
DMARC can be an expensive technology to deploy, for all parties.
Sending
In order for senders to deploy DMARC across their entire organisation, they need to do, at a minimum, the following:
- Identify every outgoing source of email from their organisation;
- Check to see if SPF or DKIM authentication uses the organisational domain for authentication;
- Update any authentication that does not align to authentication that aligns;
- Configure a reporting address to receive reports about email that fails DMARC;
- Create processes to handle DMARC failure reports;
- Publish a DMARC record;
- Regularly review DMARC failure reports to identify legitimate sources of email failing DMARC.
If, for whatever reasons, the whole organisation can’t or won’t go to full DMARC protection, there is an abbreviated deployment. This involves using a subdomain for the DMARC authenticated mailstream separate from the domain used for email from the rest of the organisation. In this case, the steps are as follows:
- Create a specific subdomain for DMARC authenticated email to use;
- Set up SPF and DKIM authentication for that specific domain;
- Configure a reporting address to receive reports about email that fails DMARC;
- Create processes to handle DMARC failure reports;
- Publish a DMARC record;
- Regularly review DMARC failures to ensure legitimate mail is not failing DMARC.
DMARC deployment can be very expensive although it’s slightly less expensive to do a partial deployment on a subdomain.
Ongoing costs, even when everything is going fine, can also be substantial, particularly if the reporting scheme is simply paying one of the third parties to handle reports for you.
Receiving
Companies receiving mail who want to participate in DMARC need to create a process where they evaluate incoming mail for alignment and act on it according to how that ISP interprets DMARC policy statements. This can involve significant costs.
If a company wants to provide DMARC reports back to senders, then they also need a way to generate the reports and send email based on the DMARC policy statements. Again, deployment can be expensive.
Ongoing costs vary, but are unlikely to be excessive.
Intermediaries
Companies sending mail on behalf of other companies, have costs as well, but in the case of DMARC their costs aren’t higher than other groups. They simply need to ensure that their system is able to send customer mail that is aligned. Some intermediaries built in the ability to support custom SPF and DKIM when they initially deployed the technology. These companies had no extra costs when it came to supporting DMARC. Other companies did not, and had to build the systems and processes to support custom SPF and DKIM in order to support DMARC
Conclusion
When we look at the evolution of authentication, we see an increase in costs for each new type of authentication. One of the challenges with DMARC adoption is the cost. Overall, SPF and DKIM were cost effective for most companies to implement and they don’t cost too much to maintain. DMARC, though, is expensive and complicated to implement. A lot of the slow adoption is due to the cost and the lack of a clear and persistent benefit.
The next “stage” of authentication is BIMI, which is building on DMARC. BIMI is another technology that will be expensive to deploy, both for sending organisations and receiving organisations. Whether or not the benefits outweigh the costs remains to be seen.
For mailing lists, I would say that there wasn’t much difficulty or cost to support SPF, but that DMARC required some scrambling to implement when AOL and Yahoo switched to ‘p=reject’. DKIM required some big changes to the software and is probably the trickiest to implement, I think.
Yeah, I wasn’t thinking mailing lists when I was thinking intermediaries. I was thinking the MTA vendors. But you’re absolutely right (and I had this weird feeling I was missing someone…)