In association with heise online

13 March 2008, 16:29

Developers hope for wider use of the DKIM anti-spam protocol

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the Domain Keys Identified E-mail (DKIM) standard of the Internet Engineering Task Force (IETF) are hoping that their anti-spam protocol will become more widely used by companies and ISPs. At the IETF meeting in Philadelphia, Cisco engineer Jim Fenton, one of the authors of DKIM, said that although some work still remained to be done, for example on "Author Sending Practice" (ASP), the basic specification was stable. Besides Cisco, Google for instance uses DKIM for its Gmail accounts. Yahoo uses the protocol to a limited extent.

The protocol provides a simple way of signing outgoing E-mails with a code that is valid for the respective domain. This domain code can be queried by the recipient and then matched with the incoming E-mail. Cisco itself uses DKIM internally for its own E-mails. IronPort, the mail provider purchased by Cisco, is trying to make the signing protocol palatable to its clients.

In Germany, the E-mail provider is among the pioneers. Christian Felsing of explained to heise online that "All E-mail sent by is signed with DKIM so that its recipients can check whether the E-mail concerned actually does come from". He said incoming E-mail is also checked for a DKIM signature, "If the signature is OK, we use it as just one of our many criteria for filtering spam."

Felsing said implementation had not been difficult, although current versions of the Mail Transfer Agent (MTA), for example EXIM 469, were required. These have still not yet been accepted into the "Stable Tree" by some Linux distributions. Nevertheless, its introduction at Taunusstein had been quite unproblematic.

David Elze, who has also introduced DKIM for his domain and a further 18 domains he looks after, says that "What is problematic is of course the limited number of those taking it up, as well as the computing effort required of the system for making the cryptographic check when there is a very high level of traffic". According to Elze, at the present time, around one per cent of incoming E-mail has a DKIM signature.

At the Austrian regional registry, all outgoing automated, administrative E-mails started being signed this way at the end of February. So anyone who receives an E-mail from there about the creation or deletion of a domain can check whether the signature is correct. For normal office E-mail, this signing method will follow later.

Felsing admitted that, just as with its predecessor SPF, spammers react swiftly to countermeasures. So for example they were simply obtaining the necessary number of domains and storing DKIM signatures or SPF records, he explained: the ability to register domains quickly and free of charge (Domain Tasting) was making it easy for spammers "to occupy domains for three days, to 'burn them up', and send their rubbish out into the world". This awarding practice is now however coming under heavy fire from the Internet Corporation for Assigned Names and Numbers (ICANN).

(Monika Ermert)


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit