I recently saw an article about the DomainKeys Identified Mail (DKIM) draft being accepted by the IETF as an official proposed standard (even though it happened back in February). I really hope the acceptance of this takes off, though the article seemed to show many large companies (who could probably benefit from it) non-committal.
DKIM is a simple means for verifying the origination of an email in an attempt to better track (and fight) spam and phishing messages. The method is simple: the sender encrypts the message body using it’s private key and stores this in the message header (non DKIM receivers, then, can safely ignore it and still deliver the message). A DKIM-enabled receiver looks up the originating domain’s record and extracts the public key. From Wikipedia: “The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail body that was received, from the point immediately following the “DomainKey-Signature:” header. If the two values match, this cryptographically proves that the mail did in fact originate at the purported domain, and has not been tampered with in transit.”
Using such a technique makes it nearly impossible to create forged emails like the kind hitting our inboxes purporting to be from PayPal, eBay, and others. From CNET: “In the long run, DomainKeys is more promising than existing antispam and antiphishing technologies, which rely on techniques like assembling a “blacklist” of known fraudsters or detecting such messages by trying to identify common characteristics.”
Microsoft has also put together a method for guaranteeing identity of email messages, called Sender ID, though it’s acceptance has been very slow (“because Microsoft initially did not agree to license patents in ways that are compatible with GNU General Public License”).
I think the DKIM technique towards spam/phishing message blocking is one of the most interesting and promising methods to come around. I’ve used Bayesian filters and blacklists, and spammers always find a way around it. But if we can get mail servers to all use this technique, I could easily see the eradication of nearly all phishing messages, and much-reduced spam messages (since it would be possible to track the sending habits of domains better).
What’s your take? In order for DKIM to be useful, both the sender and receiver must implement the DKIM method, which may mean upgrading your mail server software. One of the biggest downsides to this, unfortunately, is the extra overhead involved in email: each message requires cryptographic signing and a domain lookup, which can be quite taxing for already overworked email servers. Will you be using DKIM?
Additional Reading
Wikipedia: DomainKeys
CNET News: Promising antispam technique gets nod
DomainKeys Identified Mail Homepage
DKIM Signatures IETF Standards Draft
