How DKIM Works

DKIM allows an organization to insert a cryptographic signature in outbound e-mail and associate that signature with its domain name. The signature travels with the e-mail regardless of its path across the Internet. The recipient of the e-mail can use the signature to validate that the message came from the organization's domain name.

"Right now, a receiver of a message has no confidence that the message they are receiving is from whom it claims to be from," Olson explains. "DKIM is a way to permit a receiver of a message to validate that a message is, in fact, from whom it claims to be from."

DKIM won't eliminate e-mail fraud altogether, but it will help companies that are targets of phishing scams to give their customers a way of ensuring they sent a particular message.

"If the receiver has confidence that an e-mail that claims to be from Bank of America is from Bank of America, then they are not going to worry that someone is trying to steal their Social Security number," Olson says.

DKIM is a merger of two protocols: DomainKeys, which was created by Yahoo, and Identified Internet Mail, which was created by Cisco. These companies along with other messaging vendors and ISPs are working with the IETF's DKIM working group on technical specifications, which are almost done.

"DKIM is a stable specification," Fenton says. "The DKIM base specification, which is how you sign a message and how you verify the signature, is very well defined. It's not a moving target."

The IETF's DKIM working group is still tweaking the Sender Signing Practices, which is a document that will describe how senders can provide information in their DKIM records for recipients to use in deciding what steps to take with messages received from the sender.

"If I sign all my mail and you get a message that purports to come from me that's not signed, then you can assume that message is not from me," Olson explains. "That policy would be in the DNS record associated with the sender. The SSP is in its 10th draft right now...I hope it will be done soon."

Network vendors say DKIM is ready for deployment. In November, 20 ISPs and messaging vendors conducted an interoperability test of their DKIM deployments.

Vendors that participated in the DKIM interoperability test say the standard works, and that no technical stumbling blocks were discovered.

"We did find some cases where the RFCs need some clarification," Olson says. "But the test showed that multiple people working independently have been able to interoperate with DKIM."

DKIM-compliant software and appliances are available from Sendmail, IronPort, Alt-N Technologies, Message Systems, Port25 Solutions, StrongMail Systems and others.

"It's pretty easy for a corporation to go out and deploy DKIM because there are enough commercial products that have DKIM support," Fenton says.