The IPv4 address space is running out. In just a few years it will be completely exhausted. The only hope for the Internet to survive is to migrate to IPv6.
This was the beginning of the IPv6 portion of my networking class in college. Nearly 20 years ago. While technologies such as NAT helped to greatly slow the rate at which IP addresses were being consumed, we are finally to those dark days when the addresses to hand out are running low.
Recently in my Ask Me Anything session, we had a lot of questions about reputations and dedicated IPs. The natural question from people who worry about the scarcity of IPv4 addresses is what about IPv6. This has been a big topic of discussion internally as well, so I figured I would share my experience and thoughts on this issue.
The first thing to cover is why IP addresses for sending email are important. Long ago when inbox providers were trying to figure out which email was wanted and what was spam, the decision was made to use that limited IPv4 address space to their advantage. The address space was relatively small, fairly static, and so it was a good measure to use to determine who you were really talking to.
The IP address of the sender became the de facto place to anchor reputation for a provider, set rate limits, and then later for deny list companies to use to share information about abusers across multiple inbox providers. An IP address is something that is extremely difficult to spoof, and especially in today’s environment they are difficult to acquire or change.
The biggest issue that IPv6 faces in regards to email is that all of the anti-abuse techniques described above that work off of an IPv4 address simply do not work in IPv6. The address space is so large that it is impossible for them to do any tracking/fine grained actions on it. For example, SendGrid has an allocation of around 1x10^24 IPv6 addresses. If they were to even try some of those same techniques they would end up grouping giant ranges, like our entire range, into one category. This is the equivalent to the current practice of blocking an entire range of 255 IPv4 addresses, but even less fine grained (2^8 vs 2^80).
Because of this, very few inbox providers even speak IPv6. I did a quick check of the top 10 domains that we send to and of those, only 2 publish an IPv6 DNS record for email. I sincerely doubt that there is any provider out there that speaks only IPv6. To make matters worse, the typical migration path for IPv4 to IPv6 is to use gateways to proxy your IPv6 traffic to someone who speaks only IPv4, but those addresses, if they even allowed SMTP traffic, would be pretty much guaranteed to have a poor reputation. It’s a problem of the chicken and the egg, with a giant dog who doesn’t care which one he eats first lurking nearby.
The important next step for email to move to IPv6 is for reputation to move away from IP address. The logical place for this to go is to the domain, given that digital signatures have finally started gaining some traction. Gmail has moved more towards this model (and to a focus on a sender’s configuration), and will be providing some incentive for all senders to use digital signatures, like how they “encouraged” the rest of the ESP community to start using TLS to send all email.
Next would be for all the other major inbox providers to also modify their reputation systems to take domain reputation into account. With over 1 million inbox providers out there this isn’t such a small thing, but at least if the major providers do it there should be sufficient momentum to get others to as well. Not only do their reputation systems need this kind of a change, but all complaint feedback loops need to be converted to domain as well. Currently only Yahoo and Gmail do this.
The other part that is needed is for the deny listing companies that many inbox providers rely on for reputation to start publishing listing based on sender domain. This is a little rougher for people to integrate, since you have to wait for the entire message before you know if you’re going to reject it vs. IP-based blocks that can happen as soon as someone tries to connect, but short of adding a domain validation command into the SMTP protocol, its work that will just have to be done.
Once enough of the inbox providers out there are using domain validation, the next step would be for everyone who publishes any kind of IP address based deny list to set a date to stop doing so. If no one has a way to discriminate based on IP address, then at least IPv6 to IPv4 gateways can be used during the transition. There will always be those people who don’t feel it is worth their effort to move to the next thing, and in the end the only way to get these people to get with the program is to give them no choice.
There are certainly challenges with just domain based authentication. A bad sender can register thousands of fake domains a lot easier than they can gain that many IP addresses. In our experience, these people use stolen credit cards from their previous malicious email campaigns so it doesn’t cost them anything to do so. I have personally seen phishing emails sent from accounts that sat dormant for several months, so even age of the domain isn’t a good enough measure.
It could get to where the reputation of a particular registrar starts to matter, but I don’t know how practical that is. We have to play by whatever rules the community uses to judge our customers, and these same things could happen at the registrar level.
Inbox providers may also take into account any signature from an ESP and weigh that as well. SendGrid already has to add our own signature to all Gmail and Yahoo emails in order for complaints to be sent to us, so it wouldn’t take that much extra for a provider to take into account our overall reputation. As much as we rely on individual IP reputation to help protect our customers, there is a certain level of responsibility that the inbox providers hold us to as well. A low reputation ESP will have a lot of difficulty in the current environment, and as a high reputation ESP, I hope that remains the same going forward.
Also, as I mentioned previously, using domain reputation would require that a receiver process the entire message before issuing a verdict. This is not an insignificant amount of load on their systems. Given an easy path, the right path, and a hard path, people tend to choose the easy way. Getting 1 million different entities to agree on the right path is nowhere near easy.
For now, the best we can do is play by the current rules while encouraging change. As the IPv4 space truly becomes exhausted people will start deciding that these things matter.
An interesting side effect of this is how much it will matter how large an ESP is. Even though there is a marketplace for buying IPv4 addresses, the rules from ARIN, the organization which controls IP assignment, makes it so a company still has to show 80% utilization of their existing IP space, and that they can use those new IPs in a reasonable timeframe, before they can get more, whether they are assigned directly from ARIN or purchased.
Companies cannot just stockpile IPv4 addresses hoping to use them someday. SendGrid has been handing out dedicated IP addresses since 2009, and with around 40k of the 50k available IPv4 addresses, we have access to used we meet that criteria, and are in the process of getting another large block to support our growth. For someone who is just getting into this market, that is a pretty high bar, and they can only get more if their growth numbers justify it.
I know what you’re also going to say, that SendGrid doesn’t accept email over IPv6 either. While I would personally be a fan of us doing so, there are risks, such as how a downstream inbox provider will treat an IPv6 received header, that make this more work than just publishing a DNS record. In the end, SendGrid will do whatever is best for our customers, and when we reach the point that IPv6 is something our customers need, know that we will make it happen.
My internal joke is that I am likely to die before IPv4 does. While that is unlikely to be true for most everything else, I may not be that far off when it comes to email. It has taken almost 20 years from when the IPv6 spec was created to get to where we are now, and in the case of email that is basically even farther away than we were.
Apocalypse Sometime