Home / Blogs

Is Amazon Playing Chicken With Mailbox Providers?

It’s easy to look at Amazon SES and sigh. Thousands of low-end customers sending mail from a shared IP pool? Amazon already knows that trick never works! Just one spammer will ruin the reputation of those IP addresses, resulting in ongoing delivery problems for everyone who uses the service.

It is possible that Amazon can build the systems and human processes to keep spammers out; certainly sounds like they want to. Constant Contact managed that with their shared IP pools, but they’re still constantly working to keep things clean. So is MailChimp, who last year publicized some of how their system works—not a small investment at all.

Like any new service, Amazon SES will have to balance constant growth and the features their customers are demanding against features needed for abuse prevention. The market for an easy outbound mail API “in the cloud” may well be gigantic; it’s pretty obvious that email is the last thing that the latest social/cloud/whatever startup entrepreneur wants to think about.

When the next hot site discovers that deliverability isn’t ever guaranteed—indeed, when they discover that deliverability is even a word (which is still debatable)—will they blame Amazon, or will they blame the mailbox provider who rejected the message?

Mailbox providers never want to block mail that their users actually want to receive, so they’re already in a tough situation. If Amazon SES or another cloudy shared-IP outbound email service becomes popular—and I think it could—then mailbox providers will each have to choose: let that mail in and risk the spam (and worse), or block it and risk upsetting customers? Would blocking it force Amazon to change their architecture to give each customer a unique IP address (which they really can’t do anymore), or will someone start screaming about censorship? Who’ll blink?

It doesn’t have to be contentious. There’s another way. We have the technology.

Amazon says that messages can be signed with DKIM before they’re injected into SES. That’s probably not as easy as API-minded folks might like, but at least it’s an option.

Now imagine: there’s this wild new mailstream spurting and sputtering from shared IPs. Some is spam, some isn’t, and some of each of those are signed with DKIM. All the mailbox providers (or their spam filter vendors) need is a DKIM-based domain reputation system! The big mailbox providers have already been experimenting with this, and a few have built things; now the rest will need to catch up.

So, no, I don’t think Amazon is intentionally playing chicken. But they could: Amazon could require injected messages to be signed with DKIM, or even sign them themselves, perhaps using the sender’s AWSAccessKeyId or another unique identifier in the i= value so that different senders can be held apart. Differentiation is the real key here; DKIM is simply a convenient, standard way to accomplish it.

And if that game of chicken did commence? This time, I might just bet on the cloud.

This article was originally published on Return Path’s Received: blog.

By J.D. Falk, Internet Standards and Governance

Filed Under


Isn't this called something else in polite company?? Neil Schwartzman  –  Feb 17, 2011 6:18 PM

like ... snow shoeing? Why, yes, yes it is! http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233

Your point is well taken, until there is a domain-based reputation system (and domain blacklists like Spamhaus’ DBL are part of that equation, trying to send mail from disparate IPs is a Sender’s folly, and likely to be tagged as ‘spam’ even if it isn’t, because it hits the profile of what spammers are doing, today.

When it comes to a question of sheer numbers DKIM doesnt matter Suresh Ramasubramanian  –  Feb 18, 2011 2:03 AM

In other words, if the volume of spam far exceeds the volume of nonspam (and with just a few spammers infesting a system, that's quite easy to happen), blocks will occur, dkim or not. I don't envy the people pulling postmaster / mailops duty at amazon, they have a hard row to hoe.

Isn't that POSTAGE? Alessandro Vesely  –  Feb 23, 2011 10:00 AM

One cent for one hundred messages doesn’t seem to be a lot, but that still implies involving banks.  Are payers of those bills more tied to the sending than payers of IP-related resources?  Hm… earlier this month, someone recalled that reputation systems that work are based on money (equifax and such).

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API