The Word on E-mail Authentication

In a step that should help slash the volume of unwanted and pernicious
e-mail, a group developing technical specs for the e-mail authentication standard DKIM (Domain Keys Identified Mail), has just completed a major
portion of its work.

According to Dave Croker, a member of the Mutual Internet Practices
Association (MIPA), the group put the finishing touches on technical
specifications for DKIM in Montreal last week, paving the way for the Internet Engineering Task Force (IETF) approval of the spec.

The IETF is withholding its approval of the spec until the MIPA completes an
in-depth threat analysis and resolves issues that process had

“The core work is just about done,” Croker told
“What we’ve got now is a stable spec.”

Although DKIM is already in widespread use, completing it means “the
community can be on the same page in terms of what DKIM is and is not
doing,” said Croker.

According to proponents, the newly defined DKIM is especially useful
because the cryptographic signature it defines will hold up well under
challenging conditions, such as when a spammer tries to trick recipients by
using forwards.

“DKIM will survive hops like forwarding — other systems will not maintain
integrity,” explained Audian Paxson, another MIPA member.

“The cryptographic signing has a better chance [than competing standards] of
retaining its integrity before it reaches the end user.”

Another widely used standard for e-mail authentication is Microsoft’s Sender ID. But many in the industry have
resisted it because Microsoft insists on maintaining patent ownership rights.

Nothing claims patent ownership of DKIM, which is the combination of Yahoo’s Domain Keys and Cisco’s Identified Internet Mail (IIM).

A consortium of a dozen companies has further elaborated upon the standard.

“Long-term, [DKIM] will have greater adoption and last longer than the other
industry standards for user authentication,” said Paxson.

The next item on MIPA’s agenda is to develop policies governing the use of
DKIM. This is necessary because, currently, DKIM simply informs a recipient that
the sender is confirming its authorship of a given e-mail.

But DKIM can’t by
itself prevent someone from sending e-mail from a domain pretending to
belong to a creditable business — the most common form of phishing

According to Croker, MIPA has already begun work on defining policies that ISPs can use to reduce
phishing and other forms of spam. But “not in any kind
of scope that we could talk about until this other work got done.”

According to an agenda posted on the IETF Web site, specs for this DKIM
policy are due in September, but both Croker and Paxson believe that to be
an overly ambitious timeframe.

“This could take anywhere from three months to a year to write,”
Paxson said.

There has been a significant increase in adoption of sender authentication programs.

According to Internet security firm IronPort, overall adoption of e-mail
authentication has increased by 60 percent over the last 12 months.
Moreover, Ironport forecasts that adoption will grow by another 50 percent
over the next 12 months.

ISPs’ and webmail providers’ adoption of e-mail authentication is one of
the leading drivers of adoption.

A study from the E-mail Sender and Provider
Coalition (ESPC), based in York, Maine, reports that 18 of the largest ISPs
in the U.S. support at least one of the e-mail authentication methods.

“Legitimate e-mail marketers and ESPs have been quick to respond by adopting
authentication over the last year to ensure their mail makes it to inboxes
of leading ISPs,” said Trevor Hughes, executive director of the ESPC, in a

News Around the Web