As the DKIM (Domain Keys Identified Mail) base standard for email authentication moves closer and closer to final approval by the IETF as an internet standard, I find myself increasingly dealing with the question, “So, what’s next?” On its face, DKIM alone provides a measure of utility by allowing manually maintained whitelists to have a basis for trusting a message’s authenticity. But manually maintained white lists are a pain. An improvement here would be the ability to outsource the maintenance of a white list to a vendor one trusts (I’ll speak to this a little later).
Another use which is perfect for DKIM goes like this: We run a service whereby customers using our email security solutions can receive specially formatted “Urgent Update” emails which trigger an immediate virus signature update. We blast out these emails during new virus outbreaks so that our customers, rather than having to wait for their next scheduled update, acquire the protection they need immediately. Authentication of these messages by our email platform is, of course, critical. Without it, an attacker could flood our customers with bogus “make work” emails. In the past we’ve used path-based authentication techniques - our software would only honor “Urgent Update” emails received from our IP addresses. However, this presents the obvious problems of not being able to out-source the sending of these emails and not being able to change IPs when necessary. Cryptographic authentication approaches like DKIM completely solve these problems.
The most anticipated application of DKIM that I am aware of would be the assessment of an authenticated identity associated with a message using the services of one or more of the major reputation providers. Such services would be domain based rather than IP based which seems to make more long term sense. Fledgling steps toward this are already taking place. Through the work of the Domain Assurance Council (DAC), Alt-N is helping to define protocols by which such assessments can be acquired. The first, Vouch By Reference (VBR), will be fully supported by the next release of the MDaemon email server. VBR describes a mechanism through which certification data can be obtained. Certification is a process whereby a source that you trust “vouches” for the “good behavior” of some third party. If you trust the judgment of the “voucher” (or certifier) you could, for example, skip expensive spam filtering on messages which should be “ok”.
So, who’s doing the certifying? So far, nobody. But that doesn’t mean that the effort is worthless. It’s our hope that the major reputation/ accreditation vendors will take up the mantle and provide these domain based services on a global level. Until then, regional or “specialized” certification programs might materialize. For example, Alt-N will be running a certification server using VBR and will certify messages on behalf of the MDaemon community. My hope is that this will serve to prove that VBR can work, while at the same time provide a real value-added service for our customers.
Who knows where DKIM will take us. Authenticated email is relatively new. One thing is certain: there is a lot of brain power working this one and you can bet that there will be many applications on the horizon.
This entry was posted on Tuesday, January 30th, 2007 at 3:42 pm and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.