Authenticate Your Email - Cryptographic Solutions
Earlier, I described authentication of email messages. I stated the objective of email authentication was to facilitate getting legitimate email delivered to the Inbox, while not delivering unwanted email (i.e., spam).
I also said there were two categories of solutions: those that deal with sender address forgery and cryptographic solutions.
Since most abusive email messages carry fake sender addresses, it makes sense to try and detect forgeries and then drop that email. Last time I discussed the four protocols that deal with sender address forgery:
- Sender Policy Framework (SPF) - Open Source, 2003, historical status.
- Sender ID - From Microsoft, 2004, historical status.
- Sender ID Framework - Combination of Sender ID & SPF, 2004, historical status.
- Vouch by Reference (VBR) - In April of 2009, a new standards track proposal was submitted to the Internet Engineering Task Force (IETF), called Vouch by Reference (VBR). It will be valid for six months.
There are also three cryptographic solutions, but I will only discuss the third, since it represents a combination of the first two and is an industry-wide effort that is currently on an Internet standards track:
- DomainKeys - from Yahoo
- Internet Identified Mail (IIM) - from Cisco
- DomainKeys Identified Mail (DKIM) - Combination of DomainKeys & IIM
So, What Is DKIM Anyway?
DKIM defines a way for an organization to take responsibility for its email ... to provide a way for the recipient to verify that it came from that organization. The receiver can then decide what to do with the email.
DKIM provides a great deal of flexibility for the organization that signs the message: The organization can be the author's, the originating sending site, an intermediary, or one of their agents.
There is also flexibility in the signatures: A message can contain a single or multiple signatures, from the same or different organizations involved with the message and its transport.
Once the sender has been identified, Sender Reputation then comes into play, since this is what can then ensure delivery of the organization's email ... Or, just the reverse - the email could be dropped!
DKIM uses public-key cryptography and a domain-level digital signature. This differs from most cryptographic solutions, in that it uses a key-centric public key management approach, whereas most schemes use a certificate. With DKIM, the owner of the SDID asserts the validity of the key; with a certificate-based scheme, a trusted third-party asserts the validity of the key.
The Domain Name Service/System (DNS) acts as the key server, thus reducing the need for new infrastructure. Both the integrity of the message contents and the responsible organization can be verified.
DKIM also includes an option to publish details about an organization's email signing practices. So, for example, it could be stated that ALL email from an organization will be signed. If an unsigned message is received from the organization, the recipient could look up the organization and thus learn the unsigned message is not legitimate.
Verifying an Identity and What It Means
A given person or organization (an entity) is distinguished from all others via a set of characteristics. There are also one or more "identifiers" or names associated with an entity. DKIM uses a domain name as an identifier and calls the identifier the Signing Domain Identifier (SDID). The SDID will appear in the DKIM Signature header fields, indicated by the "d=" tag. The signing entity (the owner of the SDID) is stating they will be responsible for the message.
DKIM is intended to be a value-added feature of email ... NOT a basic function. DKIM will interoperate with unsigned email, which will be treated the same as always - it will be subjected to standard analysis and filtering.
DKIM also supports anonymous email. The author of the message can remain anonymous, while the identity of the organization is verified.
An important thing to remember about DKIM is that the only semantics inherent to a DKIM signature are that the signer is saying: "I will take responsibility for this message!"
Sender reputation then finishes the job.
Next time, I'll talk a bit more about DKIM, including its design objectives and how it is used.