Establishing Digital Trust: Don't Sacrifice Security for Convenience
Earlier this month in Dallas, Texas, nearly two dozen Internet service providers, messaging product vendors, and email industry associations gathered for two days to take the future of email authentication out for a test drive.
This quiet event, hosted by Alt-N Technologies, brought together technical representatives from many of the biggest names in email from around the globe to practice implementing Domain Keys Identified Mail (DKIM). DKIM is one of the most promising new email authentication standards to emerge from the Internet Engineering Task Force’s standards-making process.
If you are responsible for managing email systems and you don’t have at least a passing familiarity with DKIM, you may still have time to learn about it. But you most assuredly don’t have the luxury of ignoring it.
While some of the more level-headed proponents of DKIM will be aghast at my hyperbole, the more deeply I look at DKIM and how powerful a tool it can be in the battle against spam and various email-borne security threats, the more I become convinced that DKIM will be one of the truly indispensible elements of email’s future.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
DKIM derives from a pretty simple concept: because a lot of bad people attempt to fraudulently represent the origins of certain emails, if you can reliably identify and verify the origins of legitimate messages, then it’s much easier to dump the illegitimate stuff into the trash.
Through the cunning use of encryption to generate cryptographic signatures on each outbound email message, a sender can certify the origin of a message as coming from an authorized server for that domain. Receivers can in turn do a simple DNS query on the domain name and use a signature in the DNS record to verify the authenticity of that email’s claimed origin.
Ideally, in a world where DKIM is widely deployed and implemented, authenticated mail can benefit from speedier and more reliable delivery, bypassing certain types of anti-spam and anti-phishing filters.
That’s what made the two-day exercise in Dallas so important: senders, receivers, software and hardware manufacturers, and a variety of other parties interested in restoring some level of trust and reliability to email were able to fling DKIM-signed messages at one another all day and night, testing the robustness of various implementations.
And the results were, in a word, awesome. In a press release about the event, event coordinator and email standards guru Dave Crocker, noted: “Because spam and phishing continue to proliferate, messaging companies are eager to move forward with wide-spread implementation of DKIM, to help consumers and businesses identify legitimate email messages...We have demonstrated that DKIM is easy to add to an email service and that its use of cryptographic technology provides a strong basis for knowing received email really is associated with the organization that claims to have sent it.”
Various email server software vendors also found the event useful for testing their DKIM implementations against a wider variety of systems and architectures. “We learned a lot by participating; not the least of which is that DKIM just works,” said Arvel Hathcock, CEO of Alt-N Technologies, and host of the event. “The testing performed by all participants revealed no significant barriers to adoption or use.”
I have never been shy about my fondness for encryption-based methods of fighting spam and email-borne threats, in no small part because my old company, ePrivacy Group, deployed a very similar authentication system called Trusted Sender several years before the DKIM concept was hatched.
Unfortunately for everyone – especially those of us invested in the development of the Trusted Sender technologies – it quickly became clear as early as 2002 that the world wasn’t ready for simpler email authentication. Indeed, authentication was seen at the time as falling somewhere between a curiosity and a waste of CPU cycles.
|Mac vs. Linux: Which is More Secure?
Norton Internet Security 2008: Faster, Stronger
Microsoft's New Patent: The Dark Side of SaaS
The Emerging Dell-Linux-Apple War
It would take many more years of criminal exploitation by spammers and password phishers, and untold billions of dollars in wasted bandwidth, crippled networks, hijacked bank accounts, and other fall-out from insecure email, before the world’s email administrators would see cryptographic authentication systems as inevitably necessary.
The DKIM standard is a much more streamlined version of the concept that our team at ePrivacy Group created for the Trusted Sender program. And DKIM benefits from that simplification, as well as a much more highly motivated community of senders and receivers who are eager – if not a little desperate – to get to a world where DKIM can become the basis for an array of smarter and more reliable email delivery decisions.
The DKIM standard allows email senders to insert a unique cryptographic signature into the headers of outbound email, allowing authentication to take place at any point along the path between the sender and the recipient. At any point along the way, once the signature has been validated, the signer’s identity can be better relied upon when making decisions about filtering, blocking, or sorting email into the dreaded “Spam Folder.”
As the DKIM websitepoints out, DKIM leverages domain names rather than IP addresses to represent an organization’s identity. This makes sense because domain names are more stable and already serve to reliably identify email senders on the Internet. Building on that, a valid DKIM signature provides further layers of trust to email and reinforces the value carried in the brand name and corporate goodwill of a sending organization’s reputation.
Events like this month’s DKIM testing party are vital steps in demonstrating that greater messaging security is not only worth pursuing, but that it can be done in reliable and cost-effective ways. The sooner every email sending organization adopts DKIM, the sooner we will be to reliably tossing bad email into the bit-bucket while reliably delivering wanted email to users’ inbox.