We’ve just reached an important milestone in our battle against email scammers. Today, the Internet Engineering Task Force (IETF) has approved DomainKeys Identified Mail (DKIM) as a proposed Internet standard — RFC 4871. That’s bad news for spammers, spoofers, and phishers everywhere.

What is DKIM?

I’m told that not everyone discusses DKIM over their morning brew, so for those few who don’t yet know what DKIM is, here’s the story.

DKIM is an email authentication framework that addresses the widespread issue of email forgery, using cryptography to verify the domain of the sender. It allows email providers to validate an email’s originating domain, making use of blacklists and whitelists more effective. It also makes phishing attacks easier to detect by helping to identify abusive domains.

Critically, DKIM is aimed at domain-level authentication, which makes global adoption feasible.

Since email forgery is an issue touching the whole industry, it’s only natural that earlier attempts and experiments have been made in this area, but it’s now widely acknowledged that the cryptographic approach is the best long-term solution and explains why DKIM is the only one to attain Standards Track status.

For nearly 20 years, the bad guys have had an easy way to hide. But now, with widespread adoption of DKIM, we can correct that imbalance. In other words, the bad guys won’t be able to hide for much longer. About time, I reckon.

Who helped?

While DomainKeys started as a technology at Yahoo!, it will only have value if it’s standardized and ubiquitous. And that’s exactly what we’ve been working on for the last three years.

Three years may seem like a long time to some, but in the standards business that’s an incredibly short period that has only been possible due to strong industry collaboration and a lot of hard work by the DKIM Working Group.

Our co-authors at Cisco, PGP and Sendmail obviously provided superior expertise and support over a great period of time. But to be fair, they are just the tip of a very large iceberg of hardworking individuals who helped bring DKIM to fruition. Organizations as diverse as IBM, Earthlink, Microsoft, Spamhaus, Google, PayPal, and Alt-N all had a hand in getting us to this point.

Frankly, it’s hard to think of anyone in the industry who hasn’t helped at some point in time. Did you know that the FTC and National Institute of Standards and Technology (NIST) also provided a helping hand? Your tax dollars at work — and well-spent, I must say.

What’s next?

Everything hinges on wide-spread adoption. Now that DKIM is on Standards Track, the hurdle to global adoption has been greatly reduced, but not cleared. I joked earlier that someone might not have heard of DKIM, but the email industry is so big and diverse that evangelizing, education and encouragement are needed to ensure the success of DKIM.

As the largest email provider on the planet, we’re committed to doing everything we can. Fortunately, there are many in our industry working hard every day to make DKIM a success. Our thanks go out to all of those helping, from the largest companies to the smallest open source project. DKIM couldn’t have happened without you.

Most importantly, now that you know about DKIM, you can evangelize, too. Maybe it’s the next topic to share over a cup of joe? It worked wonders for me.

Mark Delany
Chief Architect, inventor of DomainKeys