Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New Spec Could Cut Phishing, Spam

IETF approves email signature standard pioneered by Yahoo!, Cisco

Phishers and spammers beware: It may soon be a lot harder to pretend you're somebody you're not.

The Internet Engineering Task Force, which sets the technical standards for the Internet, yesterday approved the DomainKeys Identified Mail standard as a proposed standard (RFC 4871). The specification, a three-year effort pioneered by Yahoo!, Cisco, Sendmail, and PGP, is an email authentication framework that uses cryptographic signature technology to verify the domain of the sender.

In a nutshell, DKIM allows email senders to "sign" each email to verify that it comes from their domain. If the receiving domain handles an email that does not contain the signature, it can raise a red flag to warn the recipient that the message might be a fake.

"For years, one of the big problems in Internet messaging has been the ability of a sender to use any 'from' address," says Jim Fenton, a distinguished engineer at Cisco and one of the authors of the standard. "Without too much work, you can say you're just about anybody in an email."

DKIM was created from two technologies developed several years ago: Yahoo!'s DomainKeys, which was developed for Yahoo! email users; and Cisco's Identified Internet Mail. With the help of PGP, Sendmail, and input from a host of other vendors, Yahoo! and Cisco combined their efforts into DKIM, which is already being integrated into email services, such as Gmail.

DKIM is designed to be implemented at the domain level and shouldn't require any changes at the client, developers say. Essentially, a domain owner -- such as an Internet service provider or a large corporation -- equips its servers with the ability to "sign" outgoing messages, verifying their authenticity.

On the other end, email security servers and applications can be set to look for the DKIM signature in incoming messages, giving priority to signed mail and red-flagging unsigned messages for further scrutiny, or warning end users of potential problems.

Fenton emphasizes that the new standard won't stop spam, but if it is widely adopted it could force spammers to stop sending messages from bogus email domains. "DKIM makes it harder for an attacker to make a message look like it's coming from a bank or some other trusted source, so it directly addresses some aspects of phishing," he says. But spammers could actually use DKIM themselves, "and we have some evidence that they already are."

Both Cisco and Yahoo! say they have already deployed DKIM to help protect messages sent from their own domains. "We currently see about a billion DomainKeys signed emails flow through Yahoo! Mail each day," said Mark Delany, lead architect for Yahoo! Mail and author of DomainKeys. "We look forward to continued momentum as more senders adopt the new email authentication standard.”

It's hard to say just how effective DKIM will be in reducing phishing and spam from bogus addresses, Fenton says. First, it has to be adopted, though that adoption should accelerate with the IETF's blessing. "We have seen a lot of ISPs, and some big financial institutions, on the verge of implementing it."

But it's important to remember that the standard itself won't stop anything. "What it really does is make [anti-spam and anti-phishing] products work better," Fenton says. "Its impact will be determined by how it's used in products."

The IETF's DKIM Working Group is currently working on a best practices document that will help vendors, users, email advertisers, and reputation services get the most out of the standard, Fenton says. The group is also developing language that will help email domains tell recipients they are signing all of their messages with DKIM.

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Trusted Computing Group

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-19
    Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
    PUBLISHED: 2019-10-19
    templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
    PUBLISHED: 2019-10-18
    In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
    PUBLISHED: 2019-10-18
    In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
    PUBLISHED: 2019-10-18
    HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...