August 15, 2005
Viewpoint: DKIM Authentication Is a Good Start At Fixing E-Mail
The Yahoo!-Cisco technology is expected to combat phishing and spoofing, but it's not a magic bullet that can kill spam.
"Two years from now, spam will be solved." The owner of this quote? None other than Microsoft’s Bill Gates, who articulated this lofty goal to delegates at a World Economic Forum meeting in Davos, Switzerland in January, 2004. As Microsoft itself now believes some 90% of today’s e-mail traffic to be “unsolicited bulk mail”, clearly we have a ways to go before spam is contained, let alone eradicated, from our daily e-mail experience.
As discouraging as this prospect may be, some of the biggest names in the Internet are promoting e-mail authentication technologies that may justify cautious optimism. One such technology, officially named DomainKeys Identified Mail but also known as "DomainKeys" or DKIM, is being pushed by internet giants Yahoo! and Cisco Systems.
DKIM came from the June 2005 marriage between Yahoo's DomainKeys technology and Cisco's Internet Identified Mail technology when both companies recognized the similarity of their approaches and the need to avoid competing standards. DKIM is intended to weed out spoofing and phishing attacks from legitimate e-mail by verifying that a message purported to come from a particular domain did in fact come from that domain -- and even a specific user in some cases. Spam and phishing attacks often "spoof" the originating domain by changing an e-mail’s header information to make it seem as if the message is coming from a legitimate source, thereby disguising the sender’s identity and location -- and potentially tricking the recipient into divulging confidential information.
How It Works
DKIM, which should be available soon via open source plug-ins, works in the following way:
- The originating mail server attaches an encoded digital “signature” to an outgoing message’s header using public-key cryptography and utilizing its own private key for this step.
- The message traverses the Internet before arriving at the destination mail server, which sees the DKIM signature and retrieves the originating mail server’s public key from its own DNS server.
- That key is then used to decode, and in the process validate, the signature on the message.
- Confident that the message did indeed originate with the originating mail server, the message is then routed to the intended recipient.
While the technology underlying DKIM may involve sophisticated cryptography, in practice DKIM is not terribly complicated as long as the originating and terminating mail servers utilize DKIM. DKIM does require additional software at both ends of the transaction, nor does it require additional processing power to account for the extra step of encoding and decoding DKIM-compliant messages.
Competing Standards
Yahoo! and Cisco are designing DKIM to be as compatible as possible with the older DomainKeys standard promoted by Yahoo! so that migration from DomainKeys to DKIM will be relatively painless. Several big-name ISPs and web-based e-mail providers already use the older DomainKeys technology, including Earthlink and Yahoo! mail, with largely positive results.
On July 11 Yahoo! and Cisco submitted DKIM to the International Engineering Task Force (IETF) for discussion at the IETF meeting in Paris from July 31 to August 5. Because DKIM is just now being discussed in settings like the IETF, it will likely take some time before the technology is fully approved and supported. But with such heavyweight players as Yahoo! and Cisco backing DKIM, one would assume the standard is bound to succeed.
Microsoft, however, is pushing its own authentication scheme called Sender ID for which it owns several related patents. Sender ID also has "experimental RFC" status at the IETF, making the outcome of this standards battle unclear.
Strengths And Limitations
Whether DKIM succeeds in becoming the sender authentication standard of choice, it is important to recognize what it can and cannot do. If widely adopted, what it can do is identify the originating e-mail server from which a message came. Why does this matter? Because if you can authenticate the originating mail server, you can identify and stop spoofing and phishing attacks, which is a very good start.
On the flip side, DKIM will not succeed at stopping spam because authentication alone does not tell you if a message is legitimate. Think of a spam attack via thousands of zombies: DKIM will only authenticate that each zombie did indeed send the message, at which point it simply routes the message (i.e. spam) to the end user. However, when used in conjunction with a technology that looks for spam via traffic patterns, like the Rapid technology from Mirapoint, DKIM can be very effective at stopping spoofing and phishing attacks, spam and any other e-mail-borne threat.
Although it is far too early to know, DKIM looks promising at being able to help combat the twin dangers of spoofing and phishing attacks. While this alone will not eradicate the vast majority of spam, it is a good start that we should all keep a close eye on.
Craig Carpenter is a messaging expert at Mirapoint, which provides secure e-mail infrastructure technology.
13%
25%
38%
25%
