The Internet Engineering Task Force (IETF) recently met month in Prague. Among the dozens of working groups striving to produce standards and guidelines to make the Internet work better, there is one called DKIM, or DomainKeys Identified Mail.
They’ve been working for several years to produce new email standards that can be added invisibly to the current email infrastructure which add a valid domain name to a piece of email. That may make you say, “Huh? We didn’t have that already?”, but in fact we haven’t.
Almost every part of an email message can be an outright forgery, because email got out and popular before security was much of a concern. But now, as the proponents of DKIM would say, we finally have a mechanism for a particular domain owner to take some actual responsibility for a message.
And statistics from several sources (The OpenDKIM Project and Lars Eggert at Nokia, for example) show that rollout is slowly but surely happening. And now, having completed its chartered work, the DKIM working group will soon close down. It’s time to start thinking about where we go from here.
DKIM is certainly a powerful building block, but it’s not enough by itself to separate the good guys from the bad. As with various other message authentication schemes before it, DKIM can be used by spammers and phishers the same way the good guys can use it.
Therefore, a valid DKIM signature shouldn’t be an automatic pass to your inbox: a piece of mail signed by paypal.com should certainly get different treatment than one signed by p4yp4l.com, right? But how is a computer, which just sees a bunch of characters, supposed to know that? A filtering system needs to know what value to associate with the proven domain name that DKIM delivers.
DKIM is a prime candidate for use as a basis for a new generation of email security mechanisms. The most promising of these appears to be domain reputation, which is the assignment of value to a domain name based on accumulated evidence.
This could change the behaviour of email: since bad reputations can be easily shed by switching to a new domain name, the interesting data will be good reputations, and that will mean domain owners will work hard to earn good reputations and even harder to keep them.
Commercial, private reputation systems have had some success, demonstrating the success and resilience of collaborative feedback systems, with increased trust applied to reliable sources. In an increasingly noisy email world, such a system will provide a distinct advantage when attempting to identify messages that should receive preferential treatment.