RealTime IT News

The Word on E-mail Authentication

In a step that should help slash the volume of unwanted and pernicious e-mail, a group developing technical specs for the e-mail authentication standard DKIM (Domain Keys Identified Mail), has just completed a major portion of its work.

According to Dave Croker, a member of the Mutual Internet Practices Association (MIPA), the group put the finishing touches on technical specifications for DKIM in Montreal last week, paving the way for the Internet Engineering Task Force (IETF) approval of the spec.

The IETF is withholding its approval of the spec until the MIPA completes an in-depth threat analysis and resolves issues that process had identified.

"The core work is just about done," Croker told internetnews.com. "What we've got now is a stable spec."

Although DKIM is already in widespread use, completing it means "the community can be on the same page in terms of what DKIM is and is not doing," said Croker.

According to proponents, the newly defined DKIM is especially useful because the cryptographic signature it defines will hold up well under challenging conditions, such as when a spammer tries to trick recipients by using forwards.

"DKIM will survive hops like forwarding -- other systems will not maintain integrity," explained Audian Paxson, another MIPA member.

"The cryptographic signing has a better chance [than competing standards] of retaining its integrity before it reaches the end user."

Another widely used standard for e-mail authentication is Microsoft's Sender ID. But many in the industry have resisted it because Microsoft insists on maintaining patent ownership rights.

Nothing claims patent ownership of DKIM, which is the combination of Yahoo's Domain Keys and Cisco's Identified Internet Mail (IIM).

A consortium of a dozen companies has further elaborated upon the standard.

"Long-term, [DKIM] will have greater adoption and last longer than the other industry standards for user authentication," said Paxson.

The next item on MIPA's agenda is to develop policies governing the use of DKIM. This is necessary because, currently, DKIM simply informs a recipient that the sender is confirming its authorship of a given e-mail.

But DKIM can't by itself prevent someone from sending e-mail from a domain pretending to belong to a creditable business -- the most common form of phishing .

According to Croker, MIPA has already begun work on defining policies that ISPs can use to reduce phishing and other forms of spam. But "not in any kind of scope that we could talk about until this other work got done."

According to an agenda posted on the IETF Web site, specs for this DKIM policy are due in September, but both Croker and Paxson believe that to be an overly ambitious timeframe.

"This could take anywhere from three months to a year to write," Paxson said.

There has been a significant increase in adoption of sender authentication programs.

According to Internet security firm IronPort, overall adoption of e-mail authentication has increased by 60 percent over the last 12 months. Moreover, Ironport forecasts that adoption will grow by another 50 percent over the next 12 months.

ISPs' and webmail providers' adoption of e-mail authentication is one of the leading drivers of adoption.

A study from the E-mail Sender and Provider Coalition (ESPC), based in York, Maine, reports that 18 of the largest ISPs in the U.S. support at least one of the e-mail authentication methods.

"Legitimate e-mail marketers and ESPs have been quick to respond by adopting authentication over the last year to ensure their mail makes it to inboxes of leading ISPs," said Trevor Hughes, executive director of the ESPC, in a statement.