Well it certainly means we are one step closer to getting rid of the problem.
DomainKeys Identified Mail (DKIM) simply said, is e-mail authentication. It involves the provision of verifiable information that allows recipients of electronic mail to validate the authenticity of the message received and the true identity of the sender. DKIM was also created to protect users against those notorious phishing attacks where scam artists attempt to steal your sensitive information by masquerading as a legitimate organization familiar to the recipient.
Previously used forms of e-mail authentication were:
- Domain Keys: Designed to verify the DNS domain of an e-mail sender and the message integrity.
- Sender ID: It validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.
- Sender Policy Framework (SPF): An anti-spam approach in which the Internet domain of an e-mail sender can be authenticated.
How Does DKIM Work?
DKIM places a signature on the email header, this includes 3 related fields:
- A digital signature
- A definition of the fields over which the digital signature was calculated
- The sending domain
DKIM publishes the public key and policies of the sending organization to the Domain Name System (DNS). The receiving organization verifies the DKIM signature by comparing it with the sender’s public key made available through DNS.
After a DKIM signature has been placed on a message and the message is sent to the recipient, an agent in the ADMD (ADministrative Management Domain), which is a public e-mail service, will usually validate the signature. In actual fact, any functional component in the message transit path can validate the signature. All in all the recipient end-user does not have to make any validations, instead the recipients ADMD's filtering software will do that.
Recipients benefit from the use of DKIM in the following manner:
- Abusive domain owners are more easily tracked down.
- Fake e-mail messages are discarded on the spot, either by end-user e-mail software or by ISPs'.
- By allowing positive identification of the origination of e-mails, domain-based blacklists are more effective and scam attacks are more easily detected.
Senders/companies benefit from the use of DKIM in the following manner:
- Customers will not be so reluctant to do internet transactions if they know the providing company uses DKIM.
- Senders/companies do not have to worry about the tampering of marketing and transactional e-mails. Such tampering is usually very harmful and can cause great damage to a companies reputation.
Weakness of DKIM:
- Information about the behavior of the identity doing the signing is not provided.
- No protection is provided by DKIM if a message has already been delivered.
- Receivers are not prescribed any specific actions to take once a validation of a signature has been deemed successful or unsuccessful.
- DKIM does not protect against re-sending (replay of) a message that already has a valid signature and is re-sent does not have protection from DKIM; this means that a transit intermediary or a recipient can re-post the message in such a way that the signature would remain valid, although the new recipient(s) would not have been specified by the originator.
A number of companies and postmasters have implemented DomainKeys to protect their domains including PayPal, eBay, Yahoo, Gmail and a lot more! With all the phishing and spoofing scams going around these days, both companies and end-users need a service that will provide authentication that they can trust. DKIM, it's the way to go.
Resources:
Fight Phishing
DKIM
A forger's worst nightmare
User Comments