A new open standard to make sure that email originates from the owner of the domain name it claims to come from has just been published. How is it going to help get rid of spam and phishing attacks?
Insecure from the start
When email was invented in the age of innocence nobody anticipated the scourge of illegitimate mass messages from disguised sources which now flood the entire system. In the early days of the internet people trusted each other so no verification of the sender of a message was built in.
But over 90% of emails sent today are illegitimate or criminal and the sender doesn’t want you to know where it came from. So we need a new secure method to identify the sender.
Two competing ideas
Two main ideas have been floated to add a layer of secure identification to the email system. Both are based on using the DNS system, which translates IP addresses to domain names. DNS records are published by the owner of a domain so malicious users cannot change them.
A system called SPF was adopted early. Microsoft derived its own version of SPF under the name SenderID. Both use a simple text string in the DNS record to announce to the world which machines are authorized to send mail from that domain.
Another method called DomainKey by Yahoo! and Identified Internet Mail by Cisco has now been unified under the aegis of IETF and published in May 2007 as RFC4871 under the name DKIM (domain key identified mail). This uses a secure digital double key signature. The public key is tied to the domain name as a new DNS record. The private key is used to sign the email by any authorized mail agent before it leaves the domain. DKIM is a completely open standard which ensures that it will remain royalty free. It is not limited to a single key per domain.
So what does it mean for me?
Nothing yet. But now that the DKIM standard has been published it is anticipated that it will be rapidly implemented by providers of email services. The DKIM signature is placed in the headers of the email and so will usually remain invisible to the user. It can however be used by the receiving mail server to automatically decide what to do with the message: reject it as spam, accept it or consider it suspect. This requires no user input.
How does it work?
The digital key pair is generated by the domain owner and does not require authentification by a third party. If a legitimate domain owner habitually uses a DKIM signature, recipients will know that a message from that domain which is not signed is probably bogus.
Of course a spammer could sign outgoing messages too, but that would not defeat the system. On the contrary, it would identify them and allow receiving mail servers to reject messages from that domain in future. DKIM is linked to the domain name and not to the IP address, so sending from a different IP will not help the spammer.
DKIM does not encrypt the entire message, so anyone can read a DKIM-signed email, even if their mail software is not compatible. However, if the software does verify the signature it also ensures that the email body has not been tampered with on the way to its destination.
When can I start using DKIM to reject malicious email?
Now that the standard has been adopted all mail providers can begin to use it. Yahoo! is expected to be the first provider to implement DKIM and Microsoft, because of its investment in SenderID, is expected to be the last.
All domain owners should start to ask their DNS administrators to provide the means to incorporate DKIM keys into their DNS records. When new versions of sending and receiving email software are updated to be compatible with DKIM, domain owners will have a new powerful tool to fight the ongoing war against spammers, phishers and scammers.
• Two competing ideas: . 1.SenderID (Microsoft): a simple text string in the DNS record to announce to the world which machines are authorized to send mail from that domain. • 2.Domain Key Identified Mail (Yahoo! & Cisco): This uses a secure digital double key signature. The public key is tied to the domain name as a new DNS record. The private key is used to sign the email by any authorized mail agent before it leave.DKIM is a completely open standard which ensures that it will remain royalty free.
Lettre gratuite
Sur votre site
RSS
Print article
Email article
= requiert un