After years of wending its way through the labyrinth that is the
IETF standards process, the much-discussed
DomainKeys Identified Mail specification (DKIM)
gained approval as an official IETF standard on Wednesday. The
approval is seen as a major step in the fight against both spam and
phishing attacks, old threats that continue to grow and morph
on a weekly basis.
DKIM is an authentication framework for email that enables
organizations to add a cryptographic signature to outgoing mail,
certifying that the message came from the domain displayed in the
mail header. Domain spoofing is a favorite tactic of spammers and
phishers of all stripes and its widespread use has made it
increasingly difficult for enterprises and individual email users
to separate legitimate mail from junk. The framework, which is a
collaborative effort among Cisco Systems, Yahoo, Sendmail and PGP,
is the result of a combination of two earlier specifications
advanced by Cisco and Yahoo: Domain Keys and Internet Identified
Mail. The two frameworks shared some attributes and the companies
in 2005 decided to merge them and submit the resulting DKIM
specification to the Internet Engineering Task Force for
consideration as a standard.
Sendmail announced on 23 May that it has incorporated the new
standard into its Sentrion mail appliances, and also is supporting
it in its switches and the open source Sendmail server. Yahoo, of
Sunnyvale, Calif., has supported Domain Keys in its popular Web
mail service for years, and officials said the company sees more
than a billion Domain Keys-signed mails every day.
Eric Allman, the co-founder and chief science officer at
Sendmail, said he believes DKIM will be most useful in combating
phishing and that adoption of the standard should move quickly now
that it has the IETF stamp of approval.
"I think primarily this will be attacking phishing for now. ID
fraud is incidental to spam, but it's fundamental to phishing,"
Allman said. "In a year I'd hope that a lot of the big phishing
targets are signing [their mail messages]. They have a vested
interest I doing so because this is real money to them. I'd also
hope that a percentage of the major ISPs will have implemented it
too. It's a little harder to draw a line to bottom-line revenue for
them, but churn is a big issue for ISPs, so anything that will keep
customers from leaving is important."
Along with Yahoo, Google Inc.'s Gmail service signs messages
with both DKIM and Domain Keys right now and Allman said he's aware
of several large banks that have been testing DKIM in anticipation
of its approval by the IETF.
DKIM and so-called reputation systems, such as Microsoft Corp.'s
Sender ID framework, work by enabling mail senders to build up
reputations for being senders of legitimate mail and not spam.
Organizations tend to guard those reputations well once they're
established and avoid doing anything that will harm them.
" Things like reputation systems and DKIM give us a record of
good senders so we know who sends good mail and who doesn't. Some
of the ISPs have been doing outbound authentication for a while and
it's working," Paul Judge, chief technology officer of Secure
Computing Inc., and a leading authority on spam, said in an
interview recently. "Some of the bigger legitimate companies that
are using DKIM or Sender ID are saying, if you get anything from me
that fails Sender ID, please drop it. They'd rather have messages
with broken signatures dropped than have them hurt their
reputations."
Mark Delany, the inventor of Domain Keys and an engineer at
Yahoo, said in a blog posting that the IETF approval is nice, but
is the beginning, rather than the end, for DKIM. "Everything hinges
on wide-spread adoption. Now that DKIM is on Standards Track, the
hurdle to global adoption has been greatly reduced, but not
cleared," Delany wrote. "I joked earlier that someone might not
have heard of DKIM, but the email industry is so big and diverse
that evangelizing, education and encouragement are needed to ensure
the success of DKIM."
Sendmail's Allman agreed. "We need to get the word out. A
standard is just a piece of paper until people start using it," he
said. "The reception has been very good. We still need people
working on reputation services because we need to know the domains
that we're talking to."