DKIM: What is it, and why do we need it?
A functional overview by Eric Allman, editor of the IETF Draft Standard (RFC 4871).
Electronic mail on the Internet has the unfortunate property of being easy to spoof — that is, anyone can send mail that pretends to be from someone else. This is a characteristic of the SMTP network protocol, itself. In the early days this wasn't a problem; in fact, it was quite useful, for a lot of reasons that I won't bore you with.
But things are different today. Phishing and spam are poxes on the Internet that vary from the "merely" annoying to the outright criminal. Many of the perpetrators of these scams attempt to hide their identity, either just to hide or with the intent to pretend to be a legitimate party. This is especially common with phishing, where the criminals will pretend to be banks or retailers in an attempt to trick you, the victim, into giving up information about yourself that can be used to clean out your account.
The Internet needs a way to fight this crime.
What is DKIM?
Domain Keys Identified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to "sign" a message to prove that it really did come from them.
DKIM works on the basis of the domain name, that is, the part of an email address after the "@" sign. For most normal email this is "good enough" — for example, I might need to know if a message really comes from my bank (the domain), but it is less important exactly who at the bank sent it (the part before the "@" sign). Partially because of this, most companies will probably decide to use DKIM on their main mail servers; users won't have to make any changes at all in order to get the benefits of DKIM.
DKIM is an IETF Draft Standard, and it is free (any company can use it without paying), easy to use (the software needed for DKIM is relatively simple, requiring no new network services), and compatible with most vendor’s email technology.
How does it work?
DKIM allows a signer to attach a digital signature to each message that is being sent. Any verifier receiving a message can easily determine whether the domain that claimed to have signed the message actually did. For example, if you receive a message that has a valid signature from your bank, you can be quite certain that your bank actually did sign that message. The signature can also be used to validate that the contents of the message have not been altered since it was signed.
The underlying technology is called public key cryptography (you may also see this called "asymmetric cryptography"). For the purposes of DKIM, the main point is that there are actually two keys, called the public key and the private key. The private key can be used to sign the message, and it must be kept secret. But the public key can only be used to verify the signature, and hence can be widely published. Someone having only the public key cannot create a false signature. A signer simply signs messages using its private key and publishes the public key using DNS (the existing Internet system used to convert domain names to numerical addresses, allowing you to type in "sendmail.com" rather than "209.246.26.25").
The signature itself is included in the header of the message (the portion at the top which includes the sender name, the date of the message, and the message subject). Most end users won't even see this header field.
So what will end users see?
That will depend on the email provider. In most cases end users won't have to see forged email at all — if a message claims to come from their bank, and the bank is using DKIM, but the message isn't properly signed, the forged message will be rejected, quarantined, or otherwise hidden from the user's view.
Some providers will probably include additional information. For example, if a message arrrives that is signed by a sender known to be a "good player" on the Internet, the provider might display it with a green dot or a gold star next to it. Unsigned or unverifiable messages will be left as they are today. As more and more senders sign their messages, the gold star will become the norm.
What are the benefits?
Every legitimate player should see benefits from DKIM. The bad guys, on the other hand, should experience a serious case of heartburn.
End users will see a reduction in phishes in their inboxes. These won't go to zero, at least at first, because there will be a transition period while senders adopt DKIM. Eliminating spam will be even harder. But most importantly, legitimate mail from known sources that is signed will be delivered; users will always receive legitimate mail from their banks without risking having it deleted because it looks like it might be dangerous or junk mail.
Email service providers will be able to reduce load on their systems and provide a better experience for their users. In an ISP setting this reduces customer churn. In an enterprise setting it results in more productive employees who can use email more effectively.
Email senders who mostly send customized messages to specific users (e.g., transaction confirmations, statements, or customer service responses) will be able to make more effective use of email. This will permit them to move more business communications from physical mail to electronic mail, thereby lowering cost and improving customer satisfaction.
Senders of marketing messages will see improved delivery rates. As long as the messages are wanted by the recipient, DKIM will allow them to get through. Spammers and Phishers have gotten increasingly clever, creating messages that look more and more like legitimate marketing pieces. Newsletters are particularly problematic; the only difference between a legitimate newsletter and a spam is often whether the recipient has signed up or not. Algorithms designed to classify messages based on their content are near their practical limit. Filtering on reliable sender identity gives us a new tool to keep the bad mail out and let the good mail in.
Reprinted from http://sendmail.org