Application security

DKIM authentication is a good start at fixing email

The Yahoo-Cisco technology is expected to combat phishing and spoofing, but it's not a magic bullet that can kill spam.

"Two years from now, spam will be solved." The owner of this quote? None other than Microsoft's Bill Gates, who articulated this lofty goal to delegates at a World Economic Forum meeting in Davos, Switzerland in January, 2004. As Microsoft itself now believes, some 90 percent of today's email traffic to be "unsolicited bulk mail." Clearly we have some way to go before spam is contained, let alone eradicated, from our daily email experience.

As discouraging as this prospect may be, some of the biggest names on the internet are promoting email authentication technologies that may justify cautious optimism. One such technology, officially named DomainKeys Identified Mail but also known as "DomainKeys" or DKIM, is being pushed by Internet giants Yahoo and Cisco Systems.

DKIM came from the June 2005 marriage between Yahoo's DomainKeys technology and Cisco's Internet Identified Mail technology when both companies recognized the similarity of their approaches and the need to avoid competing standards. DKIM is intended to weed out spoofing and phishing attacks from legitimate email by verifying that a message purported to come from a particular domain did in fact come from that domain - and even a specific user in some cases.

How It Works

DKIM, which should be available soon via open source plug-ins, works in the following way: The originating mail server attaches an encoded digital "signature" to an outgoing message's header using public-key cryptography and using its own private key for this step.

The message traverses the Internet before arriving at the destination mail server, which sees the DKIM signature and retrieves the originating mail server's public key from its own DNS server.

That key is then used to decode, and in the process validate, the signature on the message. Confident that the message did indeed originate with the proper mail server, the message is then routed to the intended recipient.

While the technology underlying DKIM may involve sophisticated cryptography, in practice DKIM is not terribly complicated - as long as the originating and terminating mail servers use DKIM. The process does not require additional software at both ends of the transaction, nor does it require additional processing power to account for the extra step of encoding and decoding DKIM-compliant messages.

Competing Standards

Yahoo and Cisco are designing DKIM to be as compatible as possible with the older DomainKeys standard promoted by Yahoo so that migration from DomainKeys to DKIM will be relatively painless. Several big name ISPs and web-based email providers already use the older DomainKeys technology, including Earthlink and Yahoo mail, with largely positive results.

On July 11, 2005, Yahoo and Cisco submitted DKIM to the International Engineering Task Force (IETF) for discussion at the IETF meeting in Paris from July 31 to Aug. 5. Because DKIM has only recently been discussed in settings like the IETF, it is likely to take some time before the technology is fully approved and supported. But with such heavyweight players as Yahoo and Cisco backing DKIM, one would assume the standard is bound to succeed.

Microsoft, however, is pushing its own authentication scheme called Sender ID for which it owns several related patents. Sender ID also has "experimental RFC" status at the IETF, making the outcome of this standards battle unclear.

Strengths and Limitations

Whether DKIM succeeds in becoming the sender authentication standard of choice, it is important to recognize what it can and cannot do. If widely adopted, it can identify the originating email server from which a message came. Why does this matter? Because if you can authenticate the originating mail server, you can identify and stop spoofing and phishing attacks - a very good start.

On the flip side, DKIM will not succeed at stopping spam because authentication alone does not tell you if a message is legitimate. Think of a spam attack via thousands of zombies: DKIM will only authenticate that each zombie did indeed send the message, at which point it simply routes the message (i.e. spam) to the end user. However, when used in conjunction with a technology that searches for spam via traffic patterns, DKIM can be very effective at stopping spoofing and phishing attacks, spam or any other threat.

Although it is far too early to know, DKIM looks promising at being able to help combat the twin dangers of spoofing and phishing attacks. While this alone will not eradicate the vast majority of spam, it is a good start that we should all keep a close eye on.

The author is director of corporate marketing and global channels at Mirapoint.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.