1 The Business Case for DomainKeys Identified Mail
2 Fighting Spam & Abuse Requires a Multi-Faceted Approach DomainKeys Identified Mail is part of a multi-faceted approach to protect consumers against spam and phishing scams. Industry collaboration efforts Cisco, Sendmail, PGP, AOL, IBM, and others worked together to submit DKIM to IETF Legislation and litigation Yahoo! has filed several lawsuits against spammer Increasing consumer awareness Consumer information available at and Enhanced technologies Content filters, virus protection, sender reputation and accreditation
3 The State of – Market Situation Worldwide market = 465 million monthly users (comScore Media Metrix, 12/2005) The original design of makes forgery and spoofing easy for spammers The most egregious abuse = phishing and online identity theft
4 The Proliferation of Phishing Attacks Gartner Study: Increased Phishing and Online Attacks Cause Dip in Consumer Confidence (survey of 5,000 adults, 6/05) 2.42 million US adults report losing money due to phishing attacks In 2004 and 2005, 11 million phishing recipients clicked on the links (or about 15 percent this year and 19 percent last year) More than 80 percent of online consumers say that their concerns about online attacks have affected their trust in from companies or individuals they don’t know personally. Forrester Study: Phishing Spreads Among Consumers (9/05) 14,000 phishing attacks were reported to the Anti-Phishing Working Group from April to Sept 2005 According to the APWG, the number of unique key logging Web sites increased 125% from April to Sept % of phishing attacks target the financial services industry
5 Why Yahoo! Mail is Involved Yahoo! Mail is the largest Web mail provider in the US and in the world –231 million monthly unique users worldwide (comScore MediaMetrix, 12/06) Yahoo! provides for: –SBC/AT&T –Verizon –British Telecom –Rogers Cable –Bell South –100,000s of small business and personal domains
6 Sender Reputation Based on IP Address Numerous headaches with IP reputation (pre-domain authentication) –Maintenance – Senders forget to communicate (or even realize) IP address changes ISPs end up relying on end user reports – Service Providers and shared IP addresses –Forwarding 80% of forwards traffic is spam Poor reputation Extremely hard to distinguish legitimate wanted forwarded mail from forgeries ISP are between rock and a hard place – protect user from phishing and other forgeries or yield false positives Marketers send TONS of mail that gets legitimately forwarded: (Yahoo!, EarthLink, Comcast, Juno, Mail.com, SBC, …) –Users don’t know or care about IP addresses –Marketers don’t care about IP addresses
7 Sender Reputation Based on Domains DomainKeys was developed to solve these issues –Low maintenance for sender and ISP –Many domains can share the same IP address without sharing the same reputation –Survives forwarding –Users know about domains –Company’s domain is (or should be) a prime brand attribute to marketers
8 Key Benefits of DomainKeys ISP can measure the correct reputation ISP can help you protect your brand Reduce sender reputation maintenance Protect users from forgery
9 Implementation Costs CPU Cost: –Sendmail study shows 8-16% mail server software CPU increase –Several major ISPs and senders have not needed to add additional hardware Several royalty free software implementations available ESPs are beginning to implement DNS – infrequent updates required
10 Implementation Costs: Licensing Patent license designed to allow freedom to operate, while protecting the industry –Royalty free –Sub-licensable –Perpetual unless you sue Yahoo! or other implementer over DomainKeys –No registration required GPL (GNU General Public License)
11 Signing and verifying using DomainKeys Expect to begin using DKIM as specification stabilizes Showing positive verification results to users Skipping some antispam filters –Especially forgery detection –Filters that get fooled by forwarding most often –Not guaranteed inbox delivery! Working on providing complaint feedback loops for signed mail Continued integration into sender reputation systems How Yahoo! is using DomainKeys
12 How it works – Sending Servers Set up: The domain owner (typically the team running the systems within a company or service provider) generates a public/private key pair to use for signing all outgoing messages (multiple key pairs are allowed). The public key is published in DNS, and the private key is made available to their DomainKey-enabled outbound servers. This is step "A" in the diagram to the right. Signing: When each is sent by an authorized end-user within the domain, the DomainKey-enabled system automatically uses the stored private key to generate a digital signature of the message. This signature is then pre-pended as a header to the , and the is sent on to the target recipient's mail server. This is step "B" in the diagram to the right.
13 How it works – Receiving Servers Preparing: The DomainKeys-enabled receiving system extracts the signature and claimed From: domain from the headers and fetches the public key from DNS for the claimed From: domain. This is step "C" in the diagram to the right. Verifying: The public key from DNS is then used by the receiving mail system to verify that the signature was generated by the matching private key. This proves that the was truly sent by, and with the permission of, the claimed sending From: domain and that its headers and content weren't altered during transfer. Delivering: The receiving system applies local policies based on the results of the signature test. If the domain is verified and other anti-spam tests don't catch it, the can be delivered to the user's inbox. If the signature fails to verify, or there isn't one, the can be dropped, flagged, or quarantined. This is step "D" in the diagram on the right.
14 Domains from which Yahoo! has received a DomainKeys signed
15 More information and specification: Tools for deployment