An engineer who helped develop a new antispam technology called DomainKeys Identified Mail (DKIM) said it's not a foolproof way to keep nasty e-mails out of your inbox, but it is a step in the right direction.
DKIM relies on a quietly inserted digital signature on the sender's end, which is designed to vouch for the identity of a message's sender. The Internet Engineering Task Force, a key standards body, adopted a draft of the standard in May.
The standard, which has backing from Yahoo, Cisco Systems, Sendmail and PGP Corporation, doesn't require that messages with invalid signatures be flagged as junk, but Internet service providers are likely to do just that.
Just because a message passes that authentication test, however, doesn't mean it's a "good one," Cisco distinguished engineer Jim Fenton cautioned attendees at a spam summit in the US organised by the Federal Trade Commission.
"Cybercriminals will authenticate their messages," said Fenton, whose company has deployed the DKIM system for about a year and has counted valid signatures from more than 20,000 domains. "They will do whatever it takes to make their messages look more legitimate."
Fenton said that Cisco has "strong circumstantial evidence" based on its own experience that cybercriminals are registering "throwaway" domain names and doing just that.
But even if spammers simply create their own domains with valid DomainKeys records, the technique still does two things: First, it shrinks the number of domains that spammers can use. And second, it permits antispammers to create a reputation database that tracks throwaway domains and marks those as sources of junk e-mail.
The use of DKIM also isn't a cure-all for phishing because phishers can still acquire domain names that closely resemble authenticated ones.
Fenton and the other drafters of that standard are, however, working on another specification, called "signer sending practices," that is designed to make that practice more difficult as well. That specification would propose a method for mail senders to advertise how they sign their mail, with the goal that unsigned messages from look-alike domain names will appear relatively more suspicious to e-mail users.
The most appropriate way to think of DKIM, Fenton said, is not as a foolproof answer to keeping the bad stuff out of your inbox, but as "a peephole in the door" that gives clues about what to trust.
DKIM is not an antispam technology as much as an anti-spoofing technology. Any antispam effort today requires a defense-in-depth approach of which authenticating or validating a senders email address against an IP address (as in SPF) is only one layer. This really isn't new or news to anyone in the messaging administration world.
The RFC for DKIM is RFC4871. (http://www.ietf.org/rfc/rfc4871.txt)
Regards.