DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

Slides:

Advertisements

Similar presentations

The Diffie-Hellman Algorithm

Advertisements

1 Eloqua Providing Industry-Leading Management Tools May 2009.

Eloqua Providing Industry-Leading Management Tools.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

Protocols and Troubleshooting Brandon Checketts.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Electronic Data Interchange (EDI)

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.

DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Identity Based Sender Authentication for Spam Mitigation Sufian Hameed (FAST-NUCES) Tobias Kloht (University of Goetingen) Xiaoming Fu (University.

© 2007 Convio, Inc. Implementation of Yahoo DomainKeys Bill Pease, Chief Scientist Convio.

1 The Business Case for DomainKeys Identified Mail.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

Wireless and Security CSCI 5857: Encoding and Encryption.

Masud Hasan Secue VS Hushmail Project 2.

DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.

Advanced Mail. Greylisting mail/postgrey /usr/local/etc/postfix/postgrey_whitelist_clients /usr/local/etc/postfix/postgrey_whitelist_recipients.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

Dimensions of E – Commerce Security

1 Dr. David MacQuigg, President Open-mail.org Stopping Abuse – An Engineer’s Perspective University of Arizona ECE 596c August 2006.

Chapter 21 Distributed System Security Copyright © 2008.

IETF 65, Dallas, TX1 Introduction to SSP Jim Fenton 22 March 2006.

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

EVON TAN KA VUN THECLA JOSEPH NOR FAEEZA ISMALI JESSICCA TOKIROI.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

A Retrospective on Future Anti-Spam Standards Internet Society of China Beijing – September, 2004 Dave Crocker Brandenburg InternetWorking

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Accredited DomainKeys: A Service Architecture for Improved Validation Accredited DomainKeys: A Service Architecture for Improved Validation.

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

RUCUS - IETF 71 1 Lessons Learned From IETF Antispam Work Jim Fenton.

Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Security fundamentals Topic 9 Securing internet messaging.

RYAN HICKLING. WHAT IS AN An messages distributed by electronic means from one computer user to one or more recipients via a network.

Advanced Mail. Computer Center, CS, NCTU 2 Introduction  SPAM vs. non-SPAM Mail sent by spammer vs. non-spammer  Problem of SPAM mail Over 99% of s.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.

Draft-lemonade-imap-submit-00.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Sender Reputation in a Large Webmail Service by Bradley Taylor (2006) Presented by : Manoj Kumar & Harsha Vardhana.

Misc. Security Items.

S/MIME T ANANDHAN.

Pooja programmer,cse department

Slides Credit: Sogand Sadrhaghighi

MASS BOF IETF63, Paris 4 August 2005

Presentation transcript:

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DKIM Authentication and Reputation2 The Context Traditional Content Scanning is reaching its limits Increasing interest in making life better for good players (in addition to penalizing bad players) Messages from good senders can be delivered without spam scanning to reduce load and avoid false positives Messages from known bad senders should be slowed down, carefully scanned, greylisted, challenged, or rejected outright Good senders want an ability to demonstrate their goodness, either by Accreditation (3 rd party assurance) or Reputation

DKIM Authentication and Reputation3 “Identity-Based” Filtering For most people, 90–99% of their legitimate comes from people or entities they know Notable exceptions: help desks, inquiry addresses, addresses, etc. Allow (white) lists can reduce false positives I’ll accept mail from my mother, my boss, or my bank without scanning Also, 90–99% of their spam comes from people or entities they do not know Notable exception: on-line order acknowledgments Critical: must ensure sender is who they claim to be... not someone pretending to be my bank Phishing usually involves identity theft Authentication required

DKIM Authentication and Reputation4 Authentication vs. Authorization People often confuse the two Authentication: proof that you are who you claim to be Real life example: a passport Authorization: what you are allowed to do, generally based on: Real life example: a visa in a passport Prior knowledge by recipient of who you are Trusted third party accreditation Local- or network-wide reputation “Entry methods” such as Challenge-Response or content scanning

DKIM Authentication and Reputation5 Overview of DKIM Cryptography-based protocol, signs selected header fields and message body Merge of DomainKeys (Yahoo!) and IIM (Cisco) Merge created by an industry consortium Significant industry support (see dkim.org for a list) Intended to allow good senders to prove that they did send a particular message, and to prevent forgers from masquerading as good senders (if those senders sign all outgoing mail) Not an anti-spam technology by itself

DKIM Authentication and Reputation6 DKIM Goals Low-cost (avoid large PKI, new Internet services) No trusted third parties required (e.g., key servers) No client User Agent upgrades required Minimal changes for (naïve) end users Validate message itself (not just path) Allow sender delegation (e.g., outsourcing) Extensible (key service, hash, public key) Structure usable for per-user signing

DKIM Authentication and Reputation7 DKIM Technology Signature transmitted in DKIM-Signature header field DKIM-Signature is self-signed Signature includes the signing identity (not inherently tied to envelope, From:, Sender:, or any other header) Initially, public key stored in DNS (new RR type, fall back to TXT) in _domainkey subdomain Extensible to other key delivery mechanisms Namespace divided using selectors, allowing multiple keys for aging, delegation, etc. Example: selectors for departments, date ranges, or third parties Sender Signing Policy lookup for unsigned, improperly signed, or third-party signed mail

DKIM Authentication and Reputation8 DKIM-Signature: a=rsa-sha1; q=dns; d=example.com; s=jun2005.eng; c=relaxed/simple; t= ; x= ; h=from:to:subject:date; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb av+yuU4zGeeruD00lszZVoG4ZHRNiYzR jun2005.eng._domainkey.example.com DKIM-Signature header Example: DNS query will be made to:

DKIM Authentication and Reputation9 DKIM Status and Directions Currently submitted to Internet Engineering Task Force (IETF) as Internet-Drafts. draft-ietf-dkim-base-00.txt draft-allman-dkim-ssp-01.txt draft-fenton-dkim-threats-02.txt Still some other drafts to be written IETF Working Group chartered, first meeting in March Several interoperating implementations, some open source

DKIM Authentication and Reputation10 Eric Allman Sendmail, Inc.