Wednesday, July 9, 2008

Finally after all these years of talk - Domain Keys

Dancho Danchev over at ZDNet posted up a story today which I thought warranted more attention and discussion from a slightly different angle.

First though, if you don't know what Domain Keys is, as it applies to email, here's the definition:
An e-mail authentication method that computes a digital signature which is added to the message header. The receiving mail server obtains the sender's public key from the DNS system to validate the signature. In 2004, Yahoo! began to sign all outgoing mail with DomainKeys headers.

Yahoo! and Cisco = DomainKeys Identified Mail
Yahoo!'s DomainKeys was combined with Cisco's Identified Internet Mail system, which maintains signature consistency, to become DomainKeys Identified Mail (DKIM). DKIM is backward compatible with the DomainKeys system. See e-mail authentication and digital signature.
Now... in the face of this large-scale implementation from Google, eBay and PayPal (the most phished brands on the Internet) it would almost seem obvious that this system should have been put in place years ago - at it is clearly proving to be worth the effort. False-positive rates are zero (is it even possible to fake a digital signature?), email SPAM/Phishing traffic is cut by a large chunk - so we ask ourselves... why isn't everyone doing it?

Much like DNSSEC (DNS Secured) it's simply a matter of implementation on a large scale, and the added overhead from the security verification operations. But I would say this to those who are thinking about implementation... there are two sides to this operation. The side that signs it (the verified sender) and the side that reads it and throws away/rejects the non-signed emails (receiver/email host). Obviously, in order to make this all happen large-scale email hosting providers (such as ComCast, Verizon, SBC/AT&T, and the like) would have to turn on filtering for messages that are non-signed. Interesting.

Here's how this works in real-life...
  1. Company A decides it's sick of its users being phished, and implements DomainKeys/DK
  2. Company A then has to contact all email hosting providers that their users primarily use (that it's practical to reach) and alerts them to only accept signed (authenticated) emails
  3. Email hosts start to filter and throw away phishing/spam email
The magic step of course is #2... you can't just implement Domain Keys and expect phishing for your domain to "go away"... so this is a solution for the large mail providers - and not the masses. I agree it's definitely a step in the right direction, and it would be wonderful if we could just make DomainKeys a mail standard (no Domain Keys, no email transport/relay) but that's just not practical.

So while we try and solve the SPAM/phishing debacle, DomainKeys (and GMail and Yahoo! Mail) take us one step closer...


No comments: