Extra Feeds & Services »

Home / Blogs

Searching for Truth in DKIM: Part 1 of 5

  • Mar 09, 2009 9:22 AM PDT
  • Comments: 2
  • Views: 1,905
Print Comment
By J.D. Falk
J.D. Falk

DomainKeys Identified Mail (DKIM) is the leading email authentication technology, supported by major ISPs including Google, AOL, and Yahoo! (who invented its predecessor), popular mail server software like Sendmail, and many of the best minds in email technology. But if you peruse the archives of the IETF DKIM mailing list, or start up a conversation at MAAWG, it might appear that there's still a lot of disagreement about what a DKIM signature actually means.

Often, anyone attempting to describe authentication turns to analogies: a driver's license, or a license plate on a car, or a passport—all saying that you are who you say you are, but not (by themselves) proving that you're trustworthy. The trust measurement is external to DKIM: a reputation score, or third-party certification status.

But what, exactly, is being trusted? What's being measured? An email message cannot contain the soul, or even the full identity, of the person or company who sent it. Reliably tying a message to the actual entity, the actual author, can be extremely difficult.

Security geeks talk instead about an identifier: a symbol that establishes the identity of the one bearing it. Here's where the analogies work: a passport or a driver's license is an identifier you can carry in your pocket, while a license plate is an identifier attached to a vehicle and backed by registration records.

In email, the ideal identifier would establish, beyond any doubt, the identity of the author of the message. Without DKIM, the closest we've been able to get is to determine the IP address which transmitted the message, after which we have to make assumptions about the owner of the IP address. DKIM is a vast improvement, establishing the domain name which signed the message. And the domain name, itself, is an identifier which can be tied to the company or person who registered that domain name—it's attached to an email message or web site, and is backed by registration records, just like a license plate.

Sometimes—particularly for commercial mail—the domain name is equivalent to the author. Those messages were sent by the company who registered the domain name. That's enough to tie the social reputation of the company to the message: if you trust your bank, you'll trust messages that you are certain were sent by your bank. And DKIM gives us this certainty—almost.

Thing is, the identifier used in DKIM is not the domain name of the author of the message. Instead it's a new value called "d=", which is (according to the DKIM specification) "the domain that will be queried for the public key" when verifying the cryptographic signature at the core of how DKIM works. To put it another way: d= identifies the domain name which signed the message, and that may be a different domain name from the author of the message.

The most common reaction, upon learning this, is for someone to say "well, then, DKIM is useless!" But, that's not true at all. It's simply that DKIM isn't the end of the story. Once you've got an identifier you can rely upon, a myriad of other things become possible. We'll discuss these further over the course of four more postings on this subject. Don't touch that dial…

(This article was originally published by Return Path)

By J.D. Falk, Director of Product Strategy at Return Path. Visit the blog maintained by J.D. Falk here.

Related topics: Domain Names, Email, Security, Spam

Get a weekly summary of postings to CircleID:

 Master Feed (more feeds)      Twitter      Mobile
Bookmark / Email This Post
Print Comment

Comments

Terminology Jim Fenton  –  Mar 09, 2009 11:42 AM PDT

I'm hoping not to create further confusion, but I'd like to pick at your terminology a bit.

Your driver's license isn't an identifier, it's a credential.  The driver's license number on it is, however, an identifier.  We had used the term "signing identity" in the specification, when arguably it should have been "signing identifier".

A lot of the confusion about identifiers in DKIM stem from the flexible delegation capabilities that are built into it.  We provided mechanisms to simplify key management for domains with lots of subdomains (parent domain signing) and for fine-grained delegation of signing authority, so that a domain could give a third-party sender the authority to sign certain email.  It's a little early to see how much these capabilities will be used, but we have done interoperability tests to make sure that they work.

# 1 Reply  |  Link  |  Report Problems
Good points, Jim, and thanks for the J.D. Falk  –  Mar 10, 2009 3:27 AM PDT

Good points, Jim, and thanks for the clarification...seems like a lot of the confusion starts with improper analogies.  I'll be avoiding 'em in the rest of this series.

# 2 Reply  |  Link  |  Report Problems

To post comments, please login or create an account.

Related Blogs

Domain Registrars & Registries: Don't Say You Weren't Warned

  • Mar 17, 2010
  • Comments: 1

Perspectives on a DNS-CERT

  • Mar 16, 2010
  • Comments: 0

"Thin Brand Line" Breaks as Canon Announces Plans for .CANON

  • Mar 16, 2010
  • Comments: 2

Another One (Partially) Bites the Dust

  • Mar 12, 2010
  • Comments: 0

ICANN Board Meeting Spoiler Alert

  • Mar 11, 2010
  • Comments: 6
View More

Related News

Memory Cards of 3,000 Vodafone Mobiles Infected With Malware

  • Mar 19, 2010
  • Comments: 0

25 Years of .COM, Clinton to Address Policy Makers for the Occasion

  • Mar 15, 2010
  • Comments: 1

ICANN to Reconsider the .XXX Decision on March 12

  • Mar 09, 2010
  • Comments: 0

German High Court Says No to Retaining Telecom, Email Data for Tracking Criminal Networks

  • Mar 02, 2010
  • Comments: 0

Study Suggests New gTLD Cybersquatting, Defensive Registrations Overestimated

  • Feb 26, 2010
  • Comments: 0
View More

Other Topics

Access Providers Broadband Censorship Cloud Computing Cyberattack Cybercrime Cybersquatting Data Center DNS DNSSEC Domain Names Domain Registries Email Enum ICANN Internet Governance Internet Protocol IP Addressing IPTV IPv6 Law Malware Mobile Multilinguism Net Neutrality P2P Policy & Regulation Privacy Regional Registries Security Spam Telecom Top-Level Domains VoIP Web White Space Whois Wireless
View More

Industry Updates – Sponsored Posts

.ORG, The Public Interest Registry Celebrates Its 25th Year With 8 Million Registrations

  • By PIR
  • Views: 223

MarkMonitor Year in Review Report: How Escalating Online Brand Abuse is Used to Monetize Web Traffic

.ORG: Introducing Fully Internationalized Domain Names

  • By PIR
  • Views: 715

.ORG to Fully Deploy DNSSEC in June

  • By PIR
  • Views: 578

The GLOBE Program Chooses Dyn Inc.'s Dynect Platform to Deploy DNSSEC per Federal OMB Mandate

SPECIAL: Updates from the ICANN Meetings in Nairobi

.ORG Registrations in 2009 Grew 8.4 Percent Over Previous Year

  • By PIR
  • Views: 821

MarkMonitor Sets New Standard in Brand Protection with Site Staydown Service

Announcement: dotMobi Ownership

Afilias Limited Acquires .Mobi Domain Registry, Expands Market Leadership

ICANN and Cybersecurity: Hot Topics at The First Ever .ORG Forum

  • By PIR
  • Views: 1,828

Using .ORG Directory to Find Haiti Relief Organizations

  • By PIR
  • Views: 1,385

Afilias Releases .INFO Domain 2009 Annual Report

Expressions of Interest a Requirement for New gTLDs?

Neustar Implements DNS Security Extensions in the .US Registry

Paid Search Ads Can Lead to Fake Goods

Neustar Launches Initiative to Enhance DNS With Faster, More Secure Updates

Registry Stakeholder Group Comments on Latest ICANN Policies

  • By PIR
  • Views: 2,056

Open Phishing Season

dotMobi Is Now a Member of The LACTLD

View More