New E-Mail Authentication Spec Submitted to IETF

The Domain Keys Identified Mail standard uses public key cryptography to sign e-mail messages, allowing receiving domains to identify legitimate senders and weed out spam and phishing e-mail with spoofed addresses.

A group of leading technology companies that includes Microsoft Corp., IBM, Yahoo Inc. and Cisco Systems Inc. has submitted a new e-mail authentication standard to the Internet Engineering Task Force for consideration, eWEEK has learned.

The specifications for DomainKeys Identified Mail, or DKIM, were submitted to the IETF on Monday for consideration as a new e-mail authentication standard. DKIM has been in development since August and combines technology from Yahoo and Cisco. In addition to backing the new standards, the authoring companies plan to license it for free and may release it to the open-source community, according to information provided to eWEEK by the group.

The new DKIM standard will be available as an IETF Internet Draft through the organizations Web site in the near future, said Eric Allman, chief technology officer at Sendmail Inc.

Allman is part of a core working group that created the DKIM specification. The group includes representatives from PGP Corp., Yahoo and Cisco.

Discussions of DKIM will be part of the 63rd IETF meeting in Paris, which begins on July 31, 2005, according to the group.

DKIM uses public key cryptography to sign e-mail messages, allowing receiving domains to identify legitimate senders and weed out spam and phishing e-mail with spoofed addresses. The specification combines elements of Yahoos DomainKeys technology and Ciscos Internet Identified Mail technology.

As with DomainKeys, e-mail domain owners will generate a public and private cryptographic key pair, then publish the public key in their DNS (Domain Name System) record. The private key is stored on their e-mail servers. Components of Ciscos Identified Internet Mail header-signing technology will be used to sign messages, said Miles Libbey, anti-spam product manager at Yahoo.

E-mail administrators will have to install a software plug-in that supports DKIM on their mail servers, but the change will be easy to implement, especially for domain owners who have already set up DomainKeys, Libbey said.

Leading e-mail server makers such as Sendmail Inc. are pledging to release DKIM plug-ins for their products.

"We wanted to make it as easy as possible to make the transition from DomainKeys to DKIM," Allman said.

DKIM could become a widely accepted standard for securing e-mail communications and thwarting e-mail forgery and phishing attacks, said Jim Fenton, distinguished engineer at Cisco and one of the authors of the new specification.

"A lot of people in the past have said the future is to put cryptographic signatures in [e-mail] messages. So were trying to present the future here. And we believe the future is now."

The announcement comes as leading e-mail experts are gathering in New York City this week to encourage organizations to implement e-mail authentication technology such as DomainKeys, or Microsofts SIDF (Sender ID Framework).

/zimages/6/28571.gifClick here to read about the Sender ID wars.

Fenton and Libbey acknowledged that unveiling the DKIM specification on the eve of the Summit could complicate matters because DKIM isnt ready for deployment, though it has been tested in three trial deployments by Sendmail and Cisco to shake out problems in the specifications, Fenton said.

"Is DKIM available now? No. But enterprises should start planning for it and start putting infrastructure in place to use it when it is available," he said.

Even when it is ready for deployment, DKIM will be one layer of a multilayered solution for problems such as spam and phishing that also includes SPF and SIDF, Fenton said.

"Its like trying to stop crime, said Libbey. "Its silly to have locks on your doors, but no police force. You never want only one defense."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.