Powerful new antiphishing weapon DKIM emerges

DKIM standard attracts Cisco, Google, PayPal and more

DKIM usage booms

DKIM adoption is accelerating, especially among banks, mortgage companies and insurance companies.

"I think there will be rapid adoption of DKIM," says Charles Stiles, director of worldwide business development for Goodmail, a certified e-mail service that will support DKIM in May. "The standard is proving to be very successful. The best and brightest people in the world worked on it. It offers up a foolproof, spoof-proof way to authenticate messages."

BITS, a group of 100 of the largest U.S. financial institutions, last year recommended that its members adopt DKIM by October 2008. BITS also recommended two other standards for securing e-mail: Transport Layer Security (TLS), which encrypts e-mail messages between servers; and either Sender ID Framework (SIDF) or Sender Policy Framework (SPF) to validate that a received e-mail originates from an authorized mail server within a particular domain.

"What BITS is doing here, with all of its members speaking in one voice with such a massive impact, gives people confidence in DKIM," Peterson says. "It's unlike anything we've seen" in terms of driving DKIM adoption.

ISPs are adopting DKIM because they want to protect their customers against spam and phishing scams. E-mail senders are tying to protect their brands, identities and customers from phishing scams.

PayPal and eBay have teamed up with Yahoo to battle phishing attacks with DKIM. PayPal and eBay are signing their e-mails with DKIM, and Yahoo Mail will block e-mails claiming to be sent by eBay and PayPal that haven't been signed through DKIM.

"EBay and PayPal have always attracted fraudsters, phishers and all that. Our customers see too much e-mail that isn't coming from us," says Mike Vergara, director of account protection at PayPal, which is owned by eBay. "DKIM takes a good industrywide standards approach. We need to add strong authentication to our e-mails so customers can have confidence that it did come from us. And we need to get ISPs to leverage that so we can say to them: If it didn't come from us, please don't deliver it."

PayPal is deploying DKIM after already rolling out Sender Policy Framework (SPF), a complementary Microsoft-backed standard that is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to reject e-mail coming out of forged "from" addresses.

Vergara says the hardest part about deploying DKIM was documenting PayPal's e-mail infrastructure to determine all the systems and domains that send e-mail to customers.

"There's no one postmaster at eBay or PayPal. It took a lot of time to figure out all the e-mails we were sending -- transactional e-mails, marketing e-mails, customer support e-mails -- and where they were coming from around the world," Vergara says. "Getting our hands around that took us 12 months. Rolling out e-mail appliances and upgrading them to DKIM took a couple of weeks."

Vergara says DKIM works. He says Yahoo has blocked hundreds of thousands -- sometimes millions -- of messages per day that supposedly came from eBay or PayPal but weren't legitimate because they weren't DKIM signed.

Now PayPal is in discussion with other ISPs to convince them to block messages from either PayPal or eBay that aren't signed with DKIM.

"We can't solve this e-mail fraud problem on our own," Vergara says. "We are trying to light a fire under the ISPs to help us solve this problem for the people who use our services."

DKIM has its limitations. A minority of companies is signing their outbound messages with DKIM, and fewer still are checking for DKIM signatures on inbound mail. But backers of the technology hope this problem will be eliminated as ISPs and banks deploy DKIM.

"If I sign all my messages to protect my brand, but the person receiving it or their ISP aren't checking, it all looks the same to the recipient," Peterson says. "I feel pretty confident that a year from now 30% of all companies will be signing their messages. Yahoo and Gmail have adopted it. Bank of America and PayPal have been very vocal supporters. Hope springs eternal. I do feel that we're at the tipping point for DKIM."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?