Hello DKIM, Good-bye Spam? - How Much of an Impact?
(Page 4 of 4 )
DKIM’s impact on spam will be indirect, at least to begin with. As Eric Allman explains, “By itself DKIM is just authentication, and many people confuse that with authorization. As a real-world example, my driver's license may identify me but it says nothing about my driving record.” The point is, though, that this authentication can be useful further down the road.
As Allman continues, “we can fairly easily come up with a whitelist of the top few hundred phishing targets, with paypal.com at the top. This list is pretty static and can be of use today. This is a form of ‘reputation’ (actually ‘accreditation’), albeit only of use to the largest players. But that usefulness encourages those sites to sign, which will encourage more sites to verify, which will increase demand for domain reputation, which will encourage even more sites to sign, etc.”
So DKIM’s impact on phishing might be fairly quick, because it’s all about verifying that emails come from where they say they come from. For spam, however, it will probably take somewhat longer, because there’s nothing to prevent a spammer from getting a key and sending out verified email. The spammer then has to “get caught,” or build a reputation as a spammer.
And then there’s the fact that we have to reach a certain critical number of adopters of the DKIM technology before it really stems the tide. That takes time, though it may only be a matter of months. Paul Hoffman, a director at the Domain Assurance Council, a trade association for the domain reputation industry, believes we could see significant movement before the end of this year. "You're going to see a bunch of adoption from the receivers within the next six months, and that will spur the senders," he insisted. "Once the receivers are saying there's a higher chance you're going to get white-listed, the senders are going to say, 'Great, sign me up.'” According to Hoffman, most major email services have either adopted DKIM already or “are very interested in implementing it.”
The one notable exception, of course, is Microsoft. The software giant is heavily invested in its own Sender ID technology. Yahoo stole a march on Microsoft because the latter was hesitant to make its Sender ID patents compatible with the GNU General Public License. Yahoo is apparently more in tune with the open source community, and agreed to open up certain pending and granted patents surrounding DKIM. That fact can only serve to speed its adoption.
I, for one, believe the end of spamming and phishing can’t come too soon. I’ve certainly seen other so-called spam solutions fall short. If DKIM can truly deliver on its promise, the day the IETF approved it as a proposed standard may be remembered by Netizens everywhere as the day the tide finally turned in the war against phishing and spam.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
