IETF approves new weapon to fight spam, phish

After years of wending its way through the labyrinth that is the IETF standards process, the much-discussed DomainKeys Identified Mail specification (DKIM) gained approval as an official IETF standard on Wednesday. The approval is seen as a major step in the fight against both spam and phishing attacks, old threats that continue to grow and morph on a weekly basis.

DKIM is an authentication framework for email that enables organizations to add a cryptographic signature to outgoing mail, certifying that the message came from the domain displayed in the mail header. Domain spoofing is a favorite tactic of spammers and phishers of all stripes and its widespread use has made it increasingly difficult for enterprises and individual email users to separate legitimate mail from junk. The framework, which is a collaborative effort among Cisco Systems, Yahoo, Sendmail and PGP, is the result of a combination of two earlier specifications advanced by Cisco and Yahoo: Domain Keys and Internet Identified Mail. The two frameworks shared some attributes and the companies in 2005 decided to merge them and submit the resulting DKIM specification to the Internet Engineering Task Force for consideration as a standard.

Sendmail announced on 23 May that it has incorporated the new standard into its Sentrion mail appliances, and also is supporting it in its switches and the open source Sendmail server. Yahoo, of Sunnyvale, Calif., has supported Domain Keys in its popular Web mail service for years, and officials said the company sees more than a billion Domain Keys-signed mails every day.

Eric Allman, the co-founder and chief science officer at Sendmail, said he believes DKIM will be most useful in combating phishing and that adoption of the standard should move quickly now that it has the IETF stamp of approval.

"I think primarily this will be attacking phishing for now. ID fraud is incidental to spam, but it's fundamental to phishing," Allman said. "In a year I'd hope that a lot of the big phishing targets are signing [their mail messages]. They have a vested interest I doing so because this is real money to them. I'd also hope that a percentage of the major ISPs will have implemented it too. It's a little harder to draw a line to bottom-line revenue for them, but churn is a big issue for ISPs, so anything that will keep customers from leaving is important."

Along with Yahoo, Google Inc.'s Gmail service signs messages with both DKIM and Domain Keys right now and Allman said he's aware of several large banks that have been testing DKIM in anticipation of its approval by the IETF.

DKIM and so-called reputation systems, such as Microsoft Corp.'s Sender ID framework, work by enabling mail senders to build up reputations for being senders of legitimate mail and not spam. Organizations tend to guard those reputations well once they're established and avoid doing anything that will harm them.

" Things like reputation systems and DKIM give us a record of good senders so we know who sends good mail and who doesn't. Some of the ISPs have been doing outbound authentication for a while and it's working," Paul Judge, chief technology officer of Secure Computing Inc., and a leading authority on spam, said in an interview recently. "Some of the bigger legitimate companies that are using DKIM or Sender ID are saying, if you get anything from me that fails Sender ID, please drop it. They'd rather have messages with broken signatures dropped than have them hurt their reputations."

Mark Delany, the inventor of Domain Keys and an engineer at Yahoo, said in a blog posting that the IETF approval is nice, but is the beginning, rather than the end, for DKIM. "Everything hinges on wide-spread adoption. Now that DKIM is on Standards Track, the hurdle to global adoption has been greatly reduced, but not cleared," Delany wrote. "I joked earlier that someone might not have heard of DKIM, but the email industry is so big and diverse that evangelizing, education and encouragement are needed to ensure the success of DKIM."

Sendmail's Allman agreed. "We need to get the word out. A standard is just a piece of paper until people start using it," he said. "The reception has been very good. We still need people working on reputation services because we need to know the domains that we're talking to."