Phishers and spammers beware: It may soon be a lot harder to pretend you're somebody you're not.
The Internet Engineering Task Force, which sets the technical standards for the Internet, yesterday approved the DomainKeys Identified Mail standard as a proposed standard (RFC 4871). The specification, a three-year effort pioneered by Yahoo!, Cisco, Sendmail, and PGP, is an email authentication framework that uses cryptographic signature technology to verify the domain of the sender.
In a nutshell, DKIM allows email senders to "sign" each email to verify that it comes from their domain. If the receiving domain handles an email that does not contain the signature, it can raise a red flag to warn the recipient that the message might be a fake.
"For years, one of the big problems in Internet messaging has been the ability of a sender to use any 'from' address," says Jim Fenton, a distinguished engineer at Cisco and one of the authors of the standard. "Without too much work, you can say you're just about anybody in an email."
DKIM was created from two technologies developed several years ago: Yahoo!'s DomainKeys, which was developed for Yahoo! email users; and Cisco's Identified Internet Mail. With the help of PGP, Sendmail, and input from a host of other vendors, Yahoo! and Cisco combined their efforts into DKIM, which is already being integrated into email services, such as Gmail.
DKIM is designed to be implemented at the domain level and shouldn't require any changes at the client, developers say. Essentially, a domain owner -- such as an Internet service provider or a large corporation -- equips its servers with the ability to "sign" outgoing messages, verifying their authenticity.
On the other end, email security servers and applications can be set to look for the DKIM signature in incoming messages, giving priority to signed mail and red-flagging unsigned messages for further scrutiny, or warning end users of potential problems.
Fenton emphasizes that the new standard won't stop spam, but if it is widely adopted it could force spammers to stop sending messages from bogus email domains. "DKIM makes it harder for an attacker to make a message look like it's coming from a bank or some other trusted source, so it directly addresses some aspects of phishing," he says. But spammers could actually use DKIM themselves, "and we have some evidence that they already are."
Both Cisco and Yahoo! say they have already deployed DKIM to help protect messages sent from their own domains. "We currently see about a billion DomainKeys signed emails flow through Yahoo! Mail each day," said Mark Delany, lead architect for Yahoo! Mail and author of DomainKeys. "We look forward to continued momentum as more senders adopt the new email authentication standard.
It's hard to say just how effective DKIM will be in reducing phishing and spam from bogus addresses, Fenton says. First, it has to be adopted, though that adoption should accelerate with the IETF's blessing. "We have seen a lot of ISPs, and some big financial institutions, on the verge of implementing it."
But it's important to remember that the standard itself won't stop anything. "What it really does is make [anti-spam and anti-phishing] products work better," Fenton says. "Its impact will be determined by how it's used in products."
The IETF's DKIM Working Group is currently working on a best practices document that will help vendors, users, email advertisers, and reputation services get the most out of the standard, Fenton says. The group is also developing language that will help email domains tell recipients they are signing all of their messages with DKIM.
Tim Wilson, Site Editor, Dark Reading