DomainKeys Identified Mail (DKIM): Introduction and Overview. Eric Allman Chief Science Officer Sendmail, Inc.



Similar documents
DKIM last chance for mail service? TFMC2 01/2006

DomainKeys Identified Mail DKIM authenticates senders, message content

DomainKeys Identified Mail (DKIM): Using Digital Signatures for Domain Verification

DMA s Authentication Requirement: FAQs and Best Practices

The What, Why, and How of Authentication

Protect your brand from phishing s by implementing DMARC 1

Trust in Begins with Authentication

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

DomainKeys Identified Mail (DKIM) Murray Kucherawy The Trusted Domain Project

SESA Securing with Cisco Security Appliance Parts 1 and 2

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

DKIM Author Signing Practices (ASP) draft-ietf-dkim-ssp-03

BITS SECURITY TOOLKIT:

security

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

Protect Outbound Mail with DMARC

THE DMARC GUIDE. Understanding DMARC for Securing

Spam, Spam and More Spam. Spammers: Cost to send

IronPort Authentication

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Comprehensive Filtering. Whitepaper

Blackbaud Communication Services Overview of Delivery and FAQs

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

Marketing Glossary of Terms

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Antispam Security Best Practices

Migration Project Plan for Cisco Cloud Security

DomainKeys Identified Mail (DKIM) Service Overview

Intercept Anti-Spam Quick Start Guide

How to Build an Effective Mail Server Defense

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

Marketing: Methods to Block Spam

Message Authentication Signature Standards (MASS) BOF. Jim Fenton Nathaniel Borenstein

Anti-spam filtering techniques

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

INinbox Start-up Pack

Quick Start Policy Patrol Spam Filter 9

Access Webmail, Collaboration Tools, and Sync Mobile Devices from Anywhere

Security - DMARC ed Encryption

Quick Start Policy Patrol Mail Security 10

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

AntiSpam QuickStart Guide

DMARC. How. is Saving . The New Authentication Standard Putting an End to Abuse

eprism Security Appliance 6.0 Release Notes What's New in 6.0

Sender Authentication Technology Deployment and Authentication Identifiers

Exim4U. Server Solution For Unix And Linux Systems

How s are sent from Xero

FortiMail Filtering Course 221-v2.2 Course Overview

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Collateral Damage. Consequences of Spam and Virus Filtering for the System. Peter Eisentraut 22C3. credativ GmbH.

Exchange Online Protection In-Depth

DNS-based Sender Authentication Mechanisms: a Critical Review

Security. Help Documentation

Enhanced Spam Defence

How To Secure A Website With A Password Protected Login Process (

Reputation Metrics Troubleshooter. Share it!

This user guide provides guidelines and recommendations for setting up your business s domain authentication to improve your deliverability rating.

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

Content Scanning with Exim 4

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

ModusMail Software Instructions.

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

A White Paper. VerticalResponse, Delivery and You A Handy Guide. VerticalResponse,Inc nd Street, Suite 700 San Francisco, CA 94107

turbosmtp New Dashboard Handbook

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

How to make the s you Send from Outlook 2010 appear to Originate from different Addresses

Internet Standards. Sam Silberman, Constant Contact

Quick Start Policy Patrol Mail Security 9

Data Management Best Practices

Information Security Basic Concepts

Transcription:

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

The Context Traditional Content Scanning is reaching its limits Increasing interest in making life better for good players (in addition to penalizing bad players) Messages from good senders can be delivered without spam scanning to reduce load and avoid false positives Messages from known bad senders should be slowed down, carefully scanned, greylisted, challenged, or rejected outright Good senders want an ability to demonstrate their goodness, either by Accreditation (3 rd party assurance) or Reputation 2 DKIM Authentication and Reputation

Identity-Based Filtering For most people, 90 99% of their legitimate email comes from people or entities they know Notable exceptions: help desks, inquiry addresses, info@ addresses, etc. Allow (white) lists can reduce false positives I ll accept mail from my mother, my boss, or my bank without scanning Also, 90 99% of their spam comes from people or entities they do not know Notable exception: on-line order acknowledgments Critical: must ensure sender is who they claim to be... not someone pretending to be my bank Phishing usually involves identity theft Authentication required 3 DKIM Authentication and Reputation

Authentication vs. Authorization People often confuse the two Authentication: proof that you are who you claim to be Real life example: a passport Authorization: what you are allowed to do, generally based on: Real life example: a visa in a passport Prior knowledge by recipient of who you are Trusted third party accreditation Local- or network-wide reputation Entry methods such as Challenge-Response or content scanning 4 DKIM Authentication and Reputation

Overview of DKIM Cryptography-based protocol, signs selected header fields and message body Merge of DomainKeys (Yahoo!) and IIM (Cisco) Merge created by an industry consortium Significant industry support (see dkim.org for a list) Intended to allow good senders to prove that they did send a particular message, and to prevent forgers from masquerading as good senders (if those senders sign all outgoing mail) Not an anti-spam technology by itself 5 DKIM Authentication and Reputation

DKIM Goals Low-cost (avoid large PKI, new Internet services) No trusted third parties required (e.g., key servers) No client User Agent upgrades required Minimal changes for (naïve) end users Validate message itself (not just path) Allow sender delegation (e.g., outsourcing) Extensible (key service, hash, public key) Structure usable for per-user signing 6 DKIM Authentication and Reputation

DKIM Technology Signature transmitted in DKIM-Signature header field DKIM-Signature is self-signed Signature includes the signing identity (not inherently tied to envelope, From:, Sender:, or any other header) Initially, public key stored in DNS (new RR type, fall back to TXT) in _domainkey subdomain Extensible to other key delivery mechanisms Namespace divided using selectors, allowing multiple keys for aging, delegation, etc. Example: selectors for departments, date ranges, or third parties Sender Signing Policy lookup for unsigned, improperly signed, or third-party signed mail 7 DKIM Authentication and Reputation

DKIM-Signature header Example: DKIM-Signature: a=rsa-sha1; q=dns; d=example.com; i=user@eng.example.com; s=jun2005.eng; c=relaxed/simple; t=1117574938; x=1118006938; h=from:to:subject:date; b=dzdvyofakcdlxdjoc9g2q8loxslenisb av+yuu4zgeerud00lszzvog4zhrniyzr DNS query will be made to: jun2005.eng._domainkey.example.com 8 DKIM Authentication and Reputation

DKIM Status and Directions Currently submitted to Internet Engineering Task Force (IETF) as Internet-Drafts. draft-ietf-dkim-base-00.txt draft-allman-dkim-ssp-01.txt draft-fenton-dkim-threats-02.txt Still some other drafts to be written IETF Working Group chartered, first meeting in March Several interoperating implementations, some open source http://sourceforge.net/projects/dkim-milter 9 DKIM Authentication and Reputation

Eric Allman Sendmail, Inc. 10 DKIM Authentication and Reputation

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information