1

The Business Case for DomainKeys Identified Mail

2

Fighting Spam & Email Abuse Requires a Multi-Faceted Approach

DomainKeys Identified Mail is part of a multi-faceted approach to protect consumers against spam and phishing scams.

Industry collaboration effortsCisco, Sendmail, PGP, AOL, IBM, and others worked together to submit DKIM to IETF

Legislation and litigationYahoo! has filed several lawsuits against spammer

Increasing consumer awarenessConsumer information available at http://antispam.yahoo.com and http://security.yahoo.com

Enhanced technologiesContent filters, virus protection, sender reputation and accreditation

3

The State of Email – Market Situation

• Worldwide email market = 465 million monthly users

(comScore Media Metrix, 12/2005)

• The original design of email makes email forgery and spoofing easy for spammers

• The most egregious email abuse = phishing and online identity theft

4

The Proliferation of Phishing Attacks

Gartner Study: Increased Phishing and Online Attacks Cause Dip in Consumer Confidence (survey of 5,000 adults, 6/05)

• 2.42 million US adults report losing money due to phishing attacks

• In 2004 and 2005, 11 million phishing e-mail recipients clicked on the links (or about 15 percent this year and 19 percent last year)

• More than 80 percent of online consumers say that their concerns about online attacks have affected their trust in e-mail from companies or individuals they don’t know personally.

Forrester Study: Phishing Spreads Among Consumers (9/05)• 14,000 phishing attacks were reported to the Anti-Phishing

Working Group from April to Sept 2005 • According to the APWG, the number of unique key logging Web

sites increased 125% from April to Sept 2005 • 86% of phishing attacks target the financial services industry

5

Why Yahoo! Mail is Involved

• Yahoo! Mail is the largest Web mail provider in the US and in the world – 231 million monthly unique users worldwide

(comScore MediaMetrix, 12/06)

• Yahoo! provides email for: – SBC/AT&T – Verizon– British Telecom– Rogers Cable– Bell South – 100,000s of small business

and personal domains

6

Sender Reputation Based on IP Address

• Numerous headaches with IP reputation (pre-domain authentication)– Maintenance –

• Senders forget to communicate (or even realize) IP address changes

• ISPs end up relying on end user reports – Email Service Providers and shared IP addresses– Forwarding

• 80% of forwards traffic is spam Poor reputation• Extremely hard to distinguish legitimate wanted forwarded mail from

forgeries• ISP are between rock and a hard place – protect user from phishing

and other forgeries or yield false positives• Marketers send TONS of mail that gets legitimately forwarded:

(Yahoo!, EarthLink, Comcast, Juno, Mail.com, SBC, …)– Users don’t know or care about IP addresses– Marketers don’t care about IP addresses

7

Sender Reputation Based on Domains

• DomainKeys was developed to solve these issues– Low maintenance for sender and ISP– Many domains can share the same IP address

without sharing the same reputation– Survives forwarding– Users know about domains– Company’s domain is (or should be) a prime brand

attribute to marketers

8

Key Benefits of DomainKeys

• ISP can measure the correct reputation

• ISP can help you protect your brand

• Reduce sender reputation maintenance

• Protect email users from forgery

9

Implementation Costs

• CPU Cost: – Sendmail study shows 8-16% mail server software

CPU increase– Several major ISPs and senders have not needed

to add additional hardware

• Several royalty free software implementations available

• ESPs are beginning to implement• DNS – infrequent updates required

10

Implementation Costs: Licensing

• Patent license designed to allow freedom to operate, while protecting the industry– Royalty free– Sub-licensable– Perpetual unless you sue Yahoo! or other

implementer over DomainKeys– No registration required

• GPL (GNU General Public License)

11

• Signing and verifying email using DomainKeys • Expect to begin using DKIM as specification stabilizes• Showing positive verification results to users

• Skipping some antispam filters– Especially forgery detection– Filters that get fooled by forwarding most often– Not guaranteed inbox delivery!

• Working on providing complaint feedback loops for signed mail

• Continued integration into sender reputation systems

How Yahoo! is using DomainKeys

12

How it works – Sending Servers

• Set up: The domain owner (typically the team running the email systems within a company or service provider) generates a public/private key pair to use for signing all outgoing messages (multiple key pairs are allowed). The public key is published in DNS, and the private key is made available to their DomainKey-enabled outbound email servers. This is step "A" in the diagram to the right.

• Signing: When each email is sent by an authorized end-user within the domain, the DomainKey-enabled email system automatically uses the stored private key to generate a digital signature of the message. This signature is then pre-pended as a header to the email, and the email is sent on to the target recipient's mail server. This is step "B" in the diagram to the right.

13

How it works – Receiving Servers

• Preparing: The DomainKeys-enabled receiving email system extracts the signature and claimed From: domain from the email headers and fetches the public key from DNS for the claimed From: domain. This is step "C" in the diagram to the right.

• Verifying: The public key from DNS is then used by the receiving mail system to verify that the signature was generated by the matching private key. This proves that the email was truly sent by, and with the permission of, the claimed sending From: domain and that its headers and content weren't altered during transfer.

• Delivering: The receiving email system applies local policies based on the results of the signature test. If the domain is verified and other anti-spam tests don't catch it, the email can be delivered to the user's inbox. If the signature fails to verify, or there isn't one, the email can be dropped, flagged, or quarantined. This is step "D" in the

diagram on the right.

14

Domains from which Yahoo! has received a DomainKeys signed email

15

More information and specification:http://antispam.yahoo.com/domainkeys

Tools for deploymenthttp://domainkeys.sourceforge.net