As you are probably aware, Sendmail is heavily involved with DKIM (DomainKeys Identified Mail), one of the leading methods of Sender Authentication. Under DKIM, mail messages are signed using the company’s private key as they are sent. The receiving party looks up the company’s public key in DNS and verifies the signature. This not only prevents forgery but also prevents message tampering.
However, simply verifying a signature is not enough as nothing prevents an evil person from signing all of their mail for a domain they control. Users can’t use a successful signature verification as an indication of message quality. The next step is to tie that verified sender domain to a reputation to determine how to treat that message. While it is true that you don’t need reputation to prevent forgery, reputation does help the receiver not mistake mail from send-mail.com as being from the reputable Sendmail, Inc.
You may be asking why DKIM verification plus IP reputation isn’t enough. Given the mail industry consolidation, the sending host’s IP is becoming less and less useful for reputation. If it weren’t already registered, I could have send-mail.com registered in about 20 minutes. Next, I sign up for Google’s free service, Google Apps for Your Domain. Then I send my mail through Google’s SMTP server. The mail message will come from a Google IP address. How does the IP reputation for Google’s mail server relate to mail from send-mail.com? Clearly it does not. Even completely outside of DKIM, IP reputation is going to become less and less useful for anything but bot blocking. You can’t judge a sender based on the machine that sent the mail. You need to judge based on the quality of the sender’s organization which is only related to their domain.
With DKIM preventing forgeries, domain-based reputation can provide an accurate representation of the quality of the sender and therefore the quality of the content (outside of ISP domains). IP reputation still has a place but it will transition more and more into an IP blacklist (e.g., IP addresses that shouldn’t be originating mail). It is my belief that we won’t see widespread DKIM adoption until there is an open and collaborative domain-based sender reputation system. The first step has been taken with domain-based accreditation (“good” sender list). Hopefully, in time, that will evolve into a full reputation system.
