Product Launch Boot Camp - Sept 20, 2008 - DaVinci Institute
February 11th, 2008 at 11:12 am

Powerful New Antiphishing Weapon Emerges - DKIM

in: Hot Issues

Spoofers, spammers and phishers, beware. There’s a new gun in town, and some of the Internet’s most powerful companies — including Yahoo, Google, PayPal and AOL — are brandishing it in the ongoing battle against e-mail fraud.

http://tecfa.unige.ch/tecfa/teaching/LME/images/phishing-sml.jpg

The new weapon is called DKIM, an emerging e-mail authentication standard developed by the Internet Engineering Task Force. DKIM, which stands for DomainKeys Identified Mail, allows an organization to cryptographically sign outgoing e-mail to verify
that it sent the message.

DKIM
addresses one of the Internet’s biggest threats: e-mail fraud. As much
as 80% of e-mail from leading brands, banks and ISPs is spoofed,
according to a report released in late January by the Authentication
and Online Trust Alliance (AOTA). AOTA analyzed more than 100 million e-mails from Fortune 500 brands sent over a five-month period.

"It’s
a critical need that IT professionals look at e-mail authentication as
a competitive advantage to protect their brands and their customers
from these exploits as well as to protect their employees from spoofed
or forged e-mail coming into their networks," says Craig Spiezle,
chairman of AOTA.

DKIM proponents say the standard is an important step in rebuilding consumer confidence in e-mail. (Compare Messaging Security products.) 

"DKIM
increases the trust with which people can regard their e-mail," says
Jim Fenton, a distinguished engineer with Cisco and one of the authors
of the standard. "DKIM isn’t going to put an end to phishing, but I’m
confident that DKIM is going to make it harder for phishing attacks to
occur."

Under development
since 2004, DKIM is finally reaching a critical mass. It’s expected to
be widely deployed this year, particularly in financial services and
e-commerce firms. Early adopters include Bank of America, American Greetings and Cisco.

"My guess is that probably half of the Fortune 1000 will be DKIM signing in 2008," predicts Greg Olson, director of product
management at Sendmail, which started shipping a DKIM-compliant e-mail appliance in November.

"I do feel that 2008 is the year when things are going to come together for DKIM," says Patrick Peterson, vice president of
technology for IronPort, an e-mail appliance vendor that supports DKIM (see more supporters) . "We have the Internet standard. We have a tremendous amount of vendor support . . . DKIM is solid as a rock."

How DKIM Works

DKIM allows an
organization to insert a cryptographic signature in outbound e-mail and
associate that signature with its domain name. The signature travels
with the e-mail regardless of its path across the Internet. The
recipient of the e-mail can use the signature to validate that the
message came from the organization’s domain name. (For more on how to deploy DKIM.)

"Right
now, a receiver of a message has no confidence that the message they
are receiving is from whom it claims to be from," Olson explains. "DKIM
is a way to permit a receiver of a message to validate that a message
is, in fact, from whom it claims to be from."

DKIM won’t eliminate e-mail fraud altogether, but it will help companies that are targets of phishing scams to give their
customers a way of ensuring they sent a particular message.

"If the receiver has confidence that an e-mail that claims to be from Bank of America is from Bank of America, then they are
not going to worry that someone is trying to steal their Social Security number," Olson says.

DKIM is a merger of two protocols: DomainKeys, which was created by Yahoo, (read a Q&A with a Yahoo executive on DKIM and beyond) and Identified Internet Mail, which was created by Cisco. These companies along with other messaging
vendors and ISPs are working with the IETF’s DKIM working group on technical specifications, which are almost done.

"DKIM is a stable specification," Fenton says. "The DKIM base specification, which is how you sign a message and how you verify
the signature, is very well defined. It’s not a moving target."

The
IETF’s DKIM working group is still tweaking the Sender Signing
Practices, which is a document that will describe how senders can
provide information in their DKIM records for recipients to use in
deciding what steps to take with messages received from the sender.

"If I sign all my mail and you get a message that purports to come from
me that’s not signed, then you can assume that message is not from me,"
Olson explains. "That policy would be in the DNS record associated with
the sender. The SSP is in its 10th draft right now. . . . I hope it
will be done soon."

Network vendors say DKIM is ready for deployment. In November, 20 ISPs and messaging vendors conducted an interoperability test of their DKIM deployments.

Vendors that participated in the DKIM interoperability test say the standard works, and that no technical stumbling blocks
were discovered.

"We did find some cases where the RFCs need some clarification," Olson says. "But the test showed that multiple people working
independently have been able to interoperate with DKIM." 

DKIM-compliant software and appliances are available today from Sendmail, IronPort, Alt-N Technologies, Message Systems, Port25 Solutions, StrongMail Systems and others.

"It’s pretty easy for a corporation to go out and deploy DKIM because there are enough commercial products that have DKIM
support," Fenton says. 

DKIM usage booms

DKIM adoption is accelerating, especially among banks, mortgage companies and insurance companies.

"I think there will be rapid adoption of DKIM," says Charles Stiles, director of worldwide business development for Goodmail,
a certified e-mail service that will support DKIM in May. "The standard
is proving to be very successful. The best and brightest people in the
world worked on it. It offers up a foolproof, spoof-proof way to
authenticate messages."

BITS,
a group of 100 of the largest U.S. financial institutions, last year
recommended that its members adopt DKIM by October 2008. BITS also
recommended two other standards for securing e-mail: Transport Layer
Security (TLS), which encrypts e-mail messages between servers; and
either Sender ID Framework (SIDF) or Sender Policy Framework (SPF) to
validate that a received e-mail originates from an authorized mail
server within a particular domain. (See story on Sender ID.)

"What BITS is doing here, with all of its members speaking in one voice with such a massive impact, gives people confidence
in DKIM," Peterson says. "It’s unlike anything we’ve seen" in terms of driving DKIM adoption.

ISPs are adopting DKIM because they want to protect their customers against spam and phishing scams. E-mail senders are tying
to protect their brands, identities and customers from phishing scams.

PayPal and eBay have teamed up with Yahoo to battle phishing attacks with DKIM. PayPal and eBay are signing their e-mails with DKIM, and Yahoo Mail will block e-mails
claiming to be sent by eBay and PayPal that haven’t been signed through DKIM.

"EBay and PayPal have always attracted fraudsters, phishers and all that. Our customers see too much e-mail that isn’t coming
from us," says Mike Vergara, director of account protection at PayPal, which is owned by eBay (Read our Q&A with Vergara).
"DKIM takes a good industrywide standards approach. We need to add
strong authentication to our e-mails so customers can have confidence
that it did come from us. And we need to get ISPs to leverage that so
we can say to them: If it didn’t come from us, please don’t deliver
it."

PayPal is deploying DKIM after already rolling out Sender Policy Framework (SPF), a complementary Microsoft-backed standard that is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to reject e-mail coming out of forged
"from" addresses. 

Vergara says the hardest part about deploying DKIM was documenting PayPal’s e-mail infrastructure to determine all the systems
and domains that send e-mail to customers.

"There’s
no one postmaster at eBay or PayPal. It took a lot of time to figure
out all the e-mails we were sending — transactional e-mails, marketing
e-mails, customer support e-mails — and where they were coming from
around the world," Vergara says. "Getting our hands around that took us
12 months. Rolling out e-mail appliances and upgrading them to DKIM
took a couple of weeks."

Vergara says DKIM works. He says Yahoo has blocked hundreds of thousands — sometimes millions — of messages per day that
supposedly came from eBay or PayPal but weren’t legitimate because they weren’t DKIM signed.

Now PayPal is in discussion with other ISPs to convince them to block messages from either PayPal or eBay that aren’t signed
with DKIM.

"We can’t solve this e-mail fraud problem on our own," Vergara says. "We are trying to light a fire under the ISPs to help
us solve this problem for the people who use our services."

DKIM
has its limitations. A minority of companies is signing their outbound
messages with DKIM, and fewer still are checking for DKIM signatures on
inbound mail. But backers of the technology hope this problem will be
eliminated as ISPs and banks deploy DKIM.

"If I sign all my
messages to protect my brand, but the person receiving it or their ISP
aren’t checking, it all looks the same to the recipient," Peterson
says. "I feel pretty confident that a year from now 30% of all
companies will be signing their messages. Yahoo and Gmail have adopted
it. Bank of America and PayPal have been very vocal supporters. Hope
springs eternal. I do feel that we’re at the tipping point for DKIM."

Via NetworkWorld

You must be logged in to post a comment.