DKIM: Not Shiny, But Very Important
by J.D. Falk
Director of Product Strategy, Receiver Services
When a new iPhone or Palm device is released or Google announces a new OS, everybody hears about it. These are, for a short time, the shiniest thing in the tech world. One reason for this phenomenon — perhaps the primary reason — is that they directly affect end users. They’re things that early adopters drool over and stand in line for, while slower adopters ask “Why would I want that? My 8-track player still works perfectly.” In the meantime, the U.S. Department of Justice is investigating whether domestic telecommunications companies have been engaging in “monopolistic and anticompetitive practices” again — which could have much larger, longer-lasting effects on how we access and utilize the internet in this country. But, it’s not shiny and immediate, so that gets far less attention.
Even in the email industry, shininess is rarely an accurate indication of importance or impact. Google removed the “beta” label from Gmail a few weeks ago, but Gmail is still basically the same as it was before. Spammers are mentioning Michael Jackson more often than they did before he died, but so is everyone else. And Return Path has published two more studies, proving twice again that email marketers need to pay more attention to deliverability.
Those are the things that everyone in the industry re-tweets at each other. Yet in the background, seemingly far from anything that makes end users excited, email is slowly becoming more secure as authentication — primarily DKIM — grows. Cisco reports a massive increase in DKIM-signed messages thus far in 2009, alongside a similarly massive increase in DKIM-signing domains. And while there’s still confusion about what a valid DKIM signature actually means, and a few use cases are still being worked out, there’s more good information being published about DKIM all the time. One of these is the IETF’s DomainKeys Identified Mail (DKIM) Service Overview, recently crowned RFC 5585. It’s not light reading — but “[it] is intended for those who are adopting, developing, or deploying DKIM.”
Many of the shiny new features appearing in GMail Labs (which I guess means they’re still beta) are based on DKIM (alongside SPF in some cases). The “key” icon for PayPal and eBay messages is a visual indicator that the message is authenticated and sent by an important, commonly phished domain, much like the icon you see in your web browser when a site has a valid SSL certificate. Yahoo! shows a similar key icon for every message with a DomainKeys signature in what’s now called the “Classic” Yahoo! Mail interface. Unfortunately, a lot of spam and other low-value mail was signed with DomainKeys too, so Yahoo! Mail users didn’t mentally associate it with trust; it’s likely they had no idea what it was for, and it meant less with every message. That’s where reputation comes in.
GMail’s shiny unsubscribe window appears when a user reports spam on a message that has the “mailto” version of the old standard List-Unsubscribe header, and is signed by an entity with a good reputation. And now they’re showing images by default on messages from the user’s contacts — if those contacts’ mail is authenticated.
In the meantime, phishing — where bad guys trick your customers into revealing personal information by sending mail that looks like it’s from your domain — has become one of the largest worldwide criminal enterprises. That is shiny enough to get headlines; it’s even shiny enough to get Google, Yahoo!, AOL, and other big mailbox providers to do extra work for eBay and PayPal.
End users can’t tell whether a message is actually from the company mentioned in the content. The MAAWG consumer survey (which we wrote about last week) said 67% of end users look at the sender’s name to determine if a message was legitimate, and 45% look at the subject — both of which are entirely controlled by whoever sent the message. Or when a message was sent through a third party like an ESP, experts often can’t tell either. DKIM can help, but only when the commonly phished domains have begun signing all of their messages, and the ISPs block unsigned messages from those domains. That’ll happen only after enough big important brands are signing.
eBay and PayPal used to be the most common phishing targets by far, because their popular services operate entirely online, regularly send a lot of email, and are directly connected to users’ bank accounts. So, they had a very strong incentive to protect themselves — and enough clout in the industry to convince the big ISPs to help.
First, they implemented every authentication method available: SPF, SenderID, DKIM, even some proprietary commercial offerings. Because they each send so much mail from so many disparate systems controlled by different departments, the eBay and PayPal security teams needed help from ISPs to track down every legitimate mail source. We understand this exercise took more than a year to complete, and required immense effort and attention to detail. It could be difficult for a smaller or less internet-savvy company to achieve the same results.
Authentication has a classic chicken/egg problem: if a brand isn’t being directly, visibly harmed by phishing yet, what’s their incentive to implement and audit authentication? Authentication has a small effect on deliverability, but won’t override the stigma of bad practices. Will these shiny features from GMail be enough?
And for ISPs, until there are a lot of valued brands authenticating all of their mail, why should they hurry to implement a system to block unauthenticated mail? It won’t be shiny enough.
So as a sender, ISP, or anywhere in between: what’s stopping you from authenticating, or implementing authentication-based features? What are you still confused about? Or if you’ve already started, how’d it go? Tell us in the comments; join the industry-wide conversation. Together we can make DKIM shiny enough that your bosses and your clients stand in line outside your door all night instead of at the Apple store, waiting for the chance to apply DKIM signatures to the messages they’re composing on their extremely shiny new devices.