Thursday 24 May 2007

CNET's Error Explaining DKIM

Declan McCullagh, writing in CNET, makes the standard schoolboy error of assuming that email sender authentication technologies are "antispam techniques."

They're not.

DomainKeys Identified Mail (DKIM) and other sender authentication technologies are simply ways to detect forgeries. At best, they give a partial indication whether a message is spam or not, but their main use is to allow recipients to look up the reputation of the sending domain.

Detecting phishing attacks via sender authentication depends on legitimate senders, such as PayPal, publishing information in the DNS. An email that purports to come from can then be verified against that published information.

Of course, this doesn’t stop phishers from using similar domains, such as Many users won't notice the difference. A DKIM test will "pass" because the bad actors own the fraudulent domain.

In other words, DKIM alone is almost useless. That's why we also need domain-level reputation services.

For several years, spam and virus control has been assisted by the use of DNS blacklists (DNSBLs). These list rogue IP addresses and address ranges that have been observed sending spam, viruses, or other undesirable content. The lists are interrogated in real time, usually via a DNS query. Several spam control vendors use a form of DNSBL, known as a reputation service. These provide a professionally run service that rates the reputations of IP addresses—good, bad, or unknown.

So today, we have IP address based reputation services, but not the ability to track and report the reputation of a sending domain. In the future, reputation services will be able to track the reputation of sending domains, as well as of IP addresses. This is not possible today, as the purported sender of a message is too easy to forge.

Email sender authentication techniques such as DKIM thus provide the missing piece of the puzzle, by allowing services to track the reputation of a domain. So, as the use of sender authentication becomes more widespread, reputation services will become more useful.

And with sender authentication becoming more popular, trusted authorities need a standard mechanism to vouch for a domain name. For example, a receiving mail system may be able to use SPF/SIDF or DKIM to verify that an incoming message was sent by, but it currently has no standard way of deciding if it wants to receive email from that company.

The Domain Assurance Council (DAC) plans to solve that problem by publishing reputation or accreditation data about a domain name in a standard form. This standard, called Vouch By Reference (VBR), will create a market for organizations that vouch for domains, allowing its members to compete with minimum friction.

By the way, according to his Politech bio, Declan McCullagh is CNET's chief political correspondent, as well as being a rather good photojournalist.


Unknown said...

Thank you for setting that straight.

One thing I'll point out is that reputation can be locally-maintained. Local reputation is not as powerful as shared reputation services, but does provide benefit in the short term.

Richi Jennings said...

Jim, yes. More at today's post

Dyre42 said...

Dude, there's a war against spam going on. So Shhhh or you'll embolden the enemy.

Post a Comment