One small step for email, one giant leap for Internet safety

Posted May 22nd, 2007 at 5:03 pm by Mark Delany, Yahoo! Mail

 28 Comments / Filed in: Trends & News

We’ve just reached an important milestone in our battle against email scammers. Today, the Internet Engineering Task Force (IETF) has approved DomainKeys Identified Mail (DKIM) as a proposed Internet standard — RFC 4871. That’s bad news for spammers, spoofers, and phishers everywhere.

What is DKIM?

I’m told that not everyone discusses DKIM over their morning brew, so for those few who don’t yet know what DKIM is, here’s the story.

DKIM is an email authentication framework that addresses the widespread issue of email forgery, using cryptography to verify the domain of the sender. It allows email providers to validate an email’s originating domain, making use of blacklists and whitelists more effective. It also makes phishing attacks easier to detect by helping to identify abusive domains.

Critically, DKIM is aimed at domain-level authentication, which makes global adoption feasible.

Since email forgery is an issue touching the whole industry, it’s only natural that earlier attempts and experiments have been made in this area, but it’s now widely acknowledged that the cryptographic approach is the best long-term solution and explains why DKIM is the only one to attain Standards Track status.

For nearly 20 years, the bad guys have had an easy way to hide. But now, with widespread adoption of DKIM, we can correct that imbalance. In other words, the bad guys won’t be able to hide for much longer. About time, I reckon.

Who helped?

While DomainKeys started as a technology at Yahoo!, it will only have value if it’s standardized and ubiquitous. And that’s exactly what we’ve been working on for the last three years.

Three years may seem like a long time to some, but in the standards business that’s an incredibly short period that has only been possible due to strong industry collaboration and a lot of hard work by the DKIM Working Group.

Our co-authors at Cisco, PGP and Sendmail obviously provided superior expertise and support over a great period of time. But to be fair, they are just the tip of a very large iceberg of hardworking individuals who helped bring DKIM to fruition. Organizations as diverse as IBM, Earthlink, Microsoft, Spamhaus, Google, PayPal, and Alt-N all had a hand in getting us to this point.

Frankly, it’s hard to think of anyone in the industry who hasn’t helped at some point in time. Did you know that the FTC and National Institute of Standards and Technology (NIST) also provided a helping hand? Your tax dollars at work — and well-spent, I must say.

What’s next?

Everything hinges on wide-spread adoption. Now that DKIM is on Standards Track, the hurdle to global adoption has been greatly reduced, but not cleared. I joked earlier that someone might not have heard of DKIM, but the email industry is so big and diverse that evangelizing, education and encouragement are needed to ensure the success of DKIM.

As the largest email provider on the planet, we’re committed to doing everything we can. Fortunately, there are many in our industry working hard every day to make DKIM a success. Our thanks go out to all of those helping, from the largest companies to the smallest open source project. DKIM couldn’t have happened without you.

Most importantly, now that you know about DKIM, you can evangelize, too. Maybe it’s the next topic to share over a cup of joe? It worked wonders for me.

Mark Delany
Chief Architect, inventor of DomainKeys

Post a Comment Bookmark This Digg This

28 Comments Add your own

G. Chai | May 22nd, 2007 at 6:39 pm

Geat to hear IETF’s approval of DKIM. With DKIM potentially eliminating spam, unlimited storage may not be needed after all!

soxiam | May 22nd, 2007 at 7:20 pm

Is Yahoo! reallt the largest email provider on the planet? I’ve always been led to believe that position was being held by MS hotmail/livemail. Could you provide us with some metrics on how the data was gathered? Thanks.

jon | May 22nd, 2007 at 9:37 pm

congratulations!!

Pieter | May 23rd, 2007 at 7:07 am

Mark,

congrats on the acceptance and kudos for a job well done!
Now all I can hope for is that it is accepted faster by system administrators as it was by the IETF :)

Other options managers of e-mail systems should consider (and implement) is using greylisting in combination with blacklisting. Greylisting already stopped about 99% of all virusattacks via e-mail on our network, blacklisting stops another 800 to 1000 attempts of malicious mail-delivery to our servers.

Steffan | May 23rd, 2007 at 8:03 am

Good work Mark!

Can’t wait to see this implemented world-wide…

Yves Hanoulle | May 23rd, 2007 at 8:05 am

This is great news

S B | May 23rd, 2007 at 8:25 am

Thanks Mark.

Lilly | May 23rd, 2007 at 9:00 am

That is a great step for internet safety! If they can verify the domain of the sender, can they verify the user of that domain? Like could they catch internet predators this way so they stop talking to children online? I am going to ask the experts on the NetSmartz411 site if this would be possible!!

TheAnand | May 23rd, 2007 at 11:15 am

Thats wonderful news! And I think the no. of spam on my junk mail has come down….earlier it used to be at a ratio of 1 real mail to 10! now its about 1:4….good luck!

Douglas Otis | May 23rd, 2007 at 1:53 pm

There remains cases where an SMTP client is not within the DKIM domain. It would be nice to have a means for the DKIM domain to authorize SMTP clients.

For example:

EHLO some-host.large-esp.com
…
dkim d=customer.info

Within DNS:
._ssp.customer.info. TXT
“large-esp.com…”;

This scheme permits an esp to send DKIM signed messages where those who authorize the esp thereby indicate their trust. The trust being that esp ensures only authorized sources for customer.info are transmitted by esp SMTP clients. This ensures no one would be able to abusive replay DKIM messages and hurt or take advantage of their reputation. This would be extremely important when those signing messages might sign messages for poorly vetted authors. This ensures poorly vetted authors can not benefit by indirectly sending themselves messages they then replay to usurp the once good DKIM domain reputation.

There should also be grave concerns for utilizing SPF as a means to provide DKIM domain associations. The local-macro expansion feature of SPF’s script-like scheme enables a _resource-free_ means to stage a DoS attack while also spamming! The operations required to acquire SPF records also makes this approach extremely dangerous in general, as this can lead to _very_ high amplifications as well. Dissuading use of dangerous libraries acquiring SPF records may even require use of ‘+all’, to ensure only CIDR constructs are used for white-listing purposes only.

Douglas Otis | May 23rd, 2007 at 2:07 pm

Correction:

Comment mangled by defanging:

base32-hash-of-large-esp._ssp.customer.info. TXT
“large-esp.com…”;

Arvel Hathcock | May 24th, 2007 at 8:34 am

Excellent work my friend!

Arvel

Randy Stewart | May 24th, 2007 at 4:02 pm

DKIM is a great start to combatting phishing attacks on the net. Congrats on getting the standard approved.

Cheers,
Randy Stewart
randy@boxbe.com

anshu | May 25th, 2007 at 3:44 am

yahoo , This DOES NOT WORK. Just LOG INTO MY email and check how my Inbox has been BOMBARDED WITH SPAMS

I left using yahoo for other service *guess?*.

And by Spam , I dont mean newsletter I subscribed to but now i hate. I mean v1agr@ and c1@liS spams got it ? it comes right in my Inbox. Why???????????

Ryan | May 25th, 2007 at 5:37 pm

I am wondering when Yahoo! mail is going to start including messenger within the mail system so I don’t have to keep the two applications seperate anymore. Gmail accomplishes this now, and I have been waiting on Yahoo! to do this since the announcement in Feb. and so far nothing.

Why announce this stuff and then take months to roll it out - especially when your competitors at Google are already doing it…..

JayVee | May 26th, 2007 at 4:57 am

Great work!

Finally the end of the spammers dominion is in sight!

bhaskar mahendrakar | May 26th, 2007 at 3:23 pm

Hai,
The biggest problem I have with Yahoo mail is SPAM mails..these form the major chunk of mails I receive daily.
And also some times regular mails are being moved to SPAM…I am using yahoo mail for about 8 years now…

Craig Herberg | June 6th, 2007 at 8:29 pm

This could be a major turning point in the war against spam. If this succeeds in making spam economically non-viable, we will be able to reclaim our inboxes.

BIP | June 30th, 2007 at 6:43 am

Require email approval by specific address from blocked domains..such as yahoo.com for example. Your domain is blocked by many folks and most have an ability to allow specific addresses to pass through the domain block..not yahoo…I block a domain and cannot allow a specific address from that domain….dull.

Fei | July 15th, 2007 at 3:08 pm

When will Yahoo start using DKIM/RFC 4871 instead of the old DomainKeys?

I spent all weekend implementing and testing DKIM because it was touted in press releases like this one.

And my DKIM-signed emails to dkim-test@testing.dkim.org passes all their DKIM tests.

But my DKIM-signed emails to yahoo.com say “(no sig)” as of July 15, 2007.

Again, does anyone know when Yahoo.com will use DKIM?

Thanks!

Richard Wooding | October 3rd, 2007 at 2:26 am

DKIM or older DomainKeys?

Richard Wooding | October 3rd, 2007 at 2:30 am

We have a community website which emails our members, the majority of which use @yahoo.com based webmail.

Should I use DKIM or older DomainKeys?

I have implemeted DKIM by using dkimproxy at http://jason.long.name/dkimproxy/ with postfix.

I have tested the DKIM signing with the following reflector services:

dkim-test AT mtcc DOT com
dktest AT exhalus DOT net
dktest AT blackops DOT org
sa-test AT sendmail DOT net

The DKIM signing seems to be working correctly, however I am unsure if the Yahoo! based webmail is understanding this, or should I use the older Yahoo! Domain Keys.

Your advice on this will be much appreciated.

Mark Risher | October 4th, 2007 at 9:36 am

@fei & @Richard Wooding -

Yahoo! Mail is committed to encouraging e-mail authentication, and has been signing and validating using DomainKeys since 2004. While we are moving towards the IETF standard DomainKeys Identified Mail (DKIM) in the upcoming months, if you want your messages to receive validation starting immediately, I would recommend DomainKeys.

It’s important to note that we will continue validating DomainKeys signatures in parallel with DKIM for a good long time (we certainly don’t want to create extra work for the early-adopters!). In recent months, we have seen several large senders successfully signing their messages with both DomainKeys and DKIM, and if you want to reach the broadest possible audience, you may want to consider such a solution during this transition period.

Hope that helps,
Mark Risher
Product Manager, Yahoo! Mail

Manele | November 13th, 2007 at 11:56 pm

Great Job! i hate spammers ! now i will love more my yahoo mail!

Manele gratis | January 9th, 2008 at 9:39 am

Great work! keep up the good work!

Muzica Noua | January 31st, 2008 at 8:28 am

Great Job! i hate spammers ! now i will love more my yahoo mail! i will tell to all of my friends about this site

manele noi | March 6th, 2008 at 12:32 pm

Great work .. is a great step …

RS | March 17th, 2008 at 9:22 pm

Put that in English Mark. Can we set our Yahoo Mail accounts to only accept DKIM e-mails? Get about 50 spams a day on that account…As soon as you can do that, you are on to something great. Go on you for tackling this issue. Good to hear that Yahoo helped clean up the web, if that indeed is what ends up occurring. Hope it helps turn your stock around.