Presentation is loading. Please wait.

Presentation is loading. Please wait.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc."— Presentation transcript:

1 DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

2 DKIM Authentication and Reputation2 The Context Traditional Content Scanning is reaching its limits Increasing interest in making life better for good players (in addition to penalizing bad players) Messages from good senders can be delivered without spam scanning to reduce load and avoid false positives Messages from known bad senders should be slowed down, carefully scanned, greylisted, challenged, or rejected outright Good senders want an ability to demonstrate their goodness, either by Accreditation (3 rd party assurance) or Reputation

3 DKIM Authentication and Reputation3 “Identity-Based” Filtering For most people, 90–99% of their legitimate email comes from people or entities they know Notable exceptions: help desks, inquiry addresses, “info@” addresses, etc. Allow (white) lists can reduce false positives I’ll accept mail from my mother, my boss, or my bank without scanning Also, 90–99% of their spam comes from people or entities they do not know Notable exception: on-line order acknowledgments Critical: must ensure sender is who they claim to be... not someone pretending to be my bank Phishing usually involves identity theft Authentication required

4 DKIM Authentication and Reputation4 Authentication vs. Authorization People often confuse the two Authentication: proof that you are who you claim to be Real life example: a passport Authorization: what you are allowed to do, generally based on: Real life example: a visa in a passport Prior knowledge by recipient of who you are Trusted third party accreditation Local- or network-wide reputation “Entry methods” such as Challenge-Response or content scanning

5 DKIM Authentication and Reputation5 Overview of DKIM Cryptography-based protocol, signs selected header fields and message body Merge of DomainKeys (Yahoo!) and IIM (Cisco) Merge created by an industry consortium Significant industry support (see dkim.org for a list) Intended to allow good senders to prove that they did send a particular message, and to prevent forgers from masquerading as good senders (if those senders sign all outgoing mail) Not an anti-spam technology by itself

6 DKIM Authentication and Reputation6 DKIM Goals Low-cost (avoid large PKI, new Internet services) No trusted third parties required (e.g., key servers) No client User Agent upgrades required Minimal changes for (naïve) end users Validate message itself (not just path) Allow sender delegation (e.g., outsourcing) Extensible (key service, hash, public key) Structure usable for per-user signing

7 DKIM Authentication and Reputation7 DKIM Technology Signature transmitted in DKIM-Signature header field DKIM-Signature is self-signed Signature includes the signing identity (not inherently tied to envelope, From:, Sender:, or any other header) Initially, public key stored in DNS (new RR type, fall back to TXT) in _domainkey subdomain Extensible to other key delivery mechanisms Namespace divided using selectors, allowing multiple keys for aging, delegation, etc. Example: selectors for departments, date ranges, or third parties Sender Signing Policy lookup for unsigned, improperly signed, or third-party signed mail

8 DKIM Authentication and Reputation8 DKIM-Signature: a=rsa-sha1; q=dns; d=example.com; i=user@eng.example.com; s=jun2005.eng; c=relaxed/simple; t=1117574938; x=1118006938; h=from:to:subject:date; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb av+yuU4zGeeruD00lszZVoG4ZHRNiYzR jun2005.eng._domainkey.example.com DKIM-Signature header Example: DNS query will be made to:

9 DKIM Authentication and Reputation9 DKIM Status and Directions Currently submitted to Internet Engineering Task Force (IETF) as Internet-Drafts. draft-ietf-dkim-base-00.txt draft-allman-dkim-ssp-01.txt draft-fenton-dkim-threats-02.txt Still some other drafts to be written IETF Working Group chartered, first meeting in March Several interoperating implementations, some open source http://sourceforge.net/projects/dkim-milter

10 DKIM Authentication and Reputation10 Eric Allman Sendmail, Inc.

Download ppt "DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
1 Eloqua Providing Industry-Leading Management Tools May 2009.

1 Eloqua Providing Industry-Leading Management Tools May 2009.
Email Deliverability @ Eloqua Providing Industry-Leading Email Management Tools.

Eloqua Providing Industry-Leading Management Tools.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Electronic Data Interchange (EDI)

Electronic Data Interchange (EDI)

Similar presentations

Ads by Google