The Internet Engineering Task Force has published new specifications for authenticating email, another tool in the fight against spam and phishing.
The specifications were published for DomainKeys Identified Mail (DKIM), which combines several existing anti-phishing and anti-spam methods to create an improved way to sort and identify legitimate email. The specifications would allow software vendors and email service providers to build the protections into their products and services immediately.
Instead of using an IP address to identify the sender of each message, DKIM adds a digital signature associated with the sender's domain name. That signature is then validated invisibly at the recipient's end. "White lists" and "black lists" are then used by the email infrastructure software to validate the reputation of the sender.
"Domain names are far more stable than IP addresses," said Dave Crocker, an IT consultant and contributor to the DKIM project. "Domain names align with an organisation far better than an IP address."
Because it incorporates a digital signature, "it allows a piece of email to be identified definitively as somebody's," rather than as an email coming from an IP address that could used by multiple people or a spam bot," he said. "It's a step along the way to regaining trust in email," Crocker added.
The core technologies used in DKIM have been around for years, he said. "We're taking existing pieces and using them together in new ways."
The DomainKeys project was started several years ago by Yahoo as a way to fight phishing and spam; the Identified Internet Mail project was begun by Cisco.
The DomainKeys project was particularly innovative because it specified the use of domain names rather than IP addresses to authenticate senders, Crocker said. DomainKeys also used the existing Domain Name System (DNS) to transmit the public keys needed for encryption, rather than adding yet another infrastructure layer.
An informal consortium of about a dozen IT vendors and organisations, including Yahoo, Cisco, EarthLink, Microsoft, PGP, StrongMail, VeriSign and Sendmail, have met for a year to create the new specifications for DKIM. It was first submitted to the IETF for consideration as a new email standard to fight phishing and spam in July 2005.
To make it work, DKIM now has to be adopted and incorporated by independent software vendors into their email applications and related infrastructures. Paul Hoffman, a director at the Domain Assurance Council, a trade association for the domain reputation industry, said he believes that email service providers such as Yahoo and Google will lead the way.
"You're going to see a bunch of adoption from the receivers within the next six months, and that will spur the senders," Hoffman said. "Once the receivers are saying there's a higher chance you're going to get white-listed, the senders are going to say, 'Great, sign me up.'
"As far as we can, tell all the major [email services] are very interested implementing it," he said. "We believe from what they've said that all of them are going to include DKIM fairly high in the list of white-listing technologies."
Microsoft, however, could take longer to adopt it, Hoffman said. "I would put them probably as last, because they are really heavily invested in Sender ID," he said.
Hoffman said that DKIM is not hard to implement and that he would be surprised not to see it in the next versions of major email support applications such as IBM's Lotus Notes and Microsoft's Exchange Server.
Miles Libbey, the anti-spam product manager for Yahoo Mail and a co-author of DKIM, said Yahoo has been using the original DomainKeys on both its inbound and outbound systems. He said Yahoo plans to switch to the new DKIM specs but is not sure when that will happen.
The IETF publication of the specifications, which will later lead to a formal draft and then eventual final approval, is a first step toward much broader adoption, Libbey said. "By having gone through the IETF process and gaining consensus amongst the entire internet industry, we've debugged a few issues that surrounded the original implementation of domain key," he said. "Once you actually have it formalised, you're much more confident that the spec is going to be stable."
Eric Allman, the chief science officer at Sendmail, said the DKIM specification and standard will be very important for users. "I do believe this is going to have a major impact initially on phishing," he said.
One benefit is that it will all be handled behind the scenes, as opposed to some current methods that ask users to make decisions on whether to accept or decline incoming messages. "A lot of users can handle that, and a lot of users get confused," he said. "The simplest thing for them to see is that the phisher [messages] just don't show up in their email boxes."
Sendmail is adding DKIM to all of its products, he said.
Once some well-known web sites such as Yahoo, Paypal and others begin using DKIM, a flood of adoption will occur, he said. "I think that what you're going to see is a rush of places that are going to install it pretty quickly, then it will slow down," Allman said. "The important thing is we'll have a core of sites fairly quickly."