Q&A with Yahoo executive on its e-mail fraud protection technology, called DKIM, or DomainKeys Internet Mail.
E-mail authentication is on the rise, and much of the credit goes to Yahoo.
Yahoo came up with the idea of authenticating e-mail at the domain level, rather than with the IP address. Yahoo dubbed this concept DomainKeys and promoted it in the open source and standards communities. The IETF completed the DomainKeys Internet Mail (DKIM) standard last year, and corporate adoption is rising rapidly (Read our featured story on the rise of DKIM.)
Network World Senior Editor Carolyn Duffy Marsan interviewed Mark Risher, anti-abuse product manager for Yahoo Mail, about the benefits Yahoo is seeing from DKIM. Here are excerpts from our conversation:
How does DKIM fit in Yahoo's antiphishing strategy?
We have 260 million users; we're the largest single e-mail provider. As such, we're able to witness a broad swath of the Internet and take steps to protect our users. One of those steps was the invention of DomainKeys, which we released open source to the industry as a whole. This is a technology that we feel is needed to protect e-mail users across the Internet, not just Yahoo users. We found a lot of interest in DomainKeys both from companies sending mail on their own behalf such as PayPal as well as e-mail service providers who handle marketing campaigns for others. They all are finding some value in being able to authenticate a message back to them and to prove that the e-mail message did originate from the sender. This technology is something we felt would be very helpful for receivers so we can confer special privileges to a message. For this other message that lacks a signature, we can penalize it. We can treat it with more suspicion and run it through additional filters.
How widely is DomainKeys used?
We have seen aggressive uptake of DomainKeys. More than 40% of our inbound traffic to Yahoo Mail is using DomainKeys. That's more than 1 billion messages a day with the open source version. DKIM is its successor. We're starting to see DKIM deployed. Mail senders, both private companies and e-mail service providers, are adopting one or both technologies in parallel. These companies are starting to reach out to Yahoo to say that they are signing their messages, and they want us to start treating signed messages with special privileges or penalize messages that aren't signed. I don't have the statistic at the tip of my fingers about how much of our mail is DKIM signed, but we're seeing it rise dramatically. Within 18 months, all of the top financial institutions will use DKIM.
What benefits does DKIM provide?
The benefit for senders is that they can more easily manage their outbound e-mail traffic. But there's also tremendous benefit for receivers like end users of Yahoo Mail. We can look at messages and maintain a list of domains that are meaningful to our users, vs. IP addresses which are irrelevant to our users.
Yahoo has an arrangement with PayPal where you will reject e-mail that supposedly comes from PayPal or eBay but isn't signed. Do you have relationships like that with other companies?
No. We are working with senders and third-party e-mail service providers to try to devise a way to make this a scalable solution. As we discussed at the time we announced the arrangement with PayPal and eBay, time is required to gain confidence with DKIM on both sides [before you can start rejecting mail.] DKIM is a simple technology. It can be implemented by senders for free using a software plug in. But it takes time for various departments to understand who is sending e-mail on a company's behalf. We are looking at how we can design a process for other companies to say "Yes, we are using DKIM."
A year from now, will you be stopping a lot of mail at the front gate because of DKIM?
No. Stopping mail at the front gate will be limited to a small number of senders. But I do hope that a year from now, a lot of marquis brands sending e-mail from a variety of sources will be using e-mail authentication based on DomainKeys and DKIM so receivers can more clearly determine if the e-mail came from the source. Once that happens, e-mail administration becomes simpler. If a company maintains 118 different IP addresses for sending mail but they send e-mail under one domain, it's 118 times easier for me to deal with one domain than 118 IP addresses.
If you're not going to block unsigned e-mail for companies that use DKIM, will you send it through more filtering?
Yes.
How significant of an impact will DKIM have on phishing?
I would describe it as profound. As we're crossing the tipping point of this technology, we will see even small senders like a small bicycle shop sending out a newsletter using DKIM. It's really moving us to a much better, more responsible, easier-to-manage network. As the receiver protecting the largest number of user in-boxes, there are messages we want and there are messages that we don't want. We'll be able to segment them for domains that are relevant to our users.
What advice would you offer to CIOs considering rolling out DKIM? (See our story on deploying DKIM)
The advice I would give them is that this is really quite simple and straightforward and that they should begin. There are values to be gained before you reach the point of signing 100% of your mail. The focus has been on blocking mail once you reach 100%, but there are tremendous benefits if you are only signing 10% of your mail. Those 10% of messages are clearly documented as to where they are coming from, and they will get privileges in the in-boxes of Yahoo Mail users.
Isn't DKIM the beginning of massive blocking of e-mail on the Internet?
It could move that way. But if there were no blocking and everyone was authenticating, DKIM would still be providing tremendous value by providing a reputation around a domain vs. an IP address. Microsoft has introduced a technology that doesn't address the problem in as clean or neat of a way. (More on the Microsoft vs. Yahoo approaches.) One of the issues with Microsoft's Sender ID framework is that it relies on a message coming directly from one IP address to the receiver without any other hops in between. If the message has been forwarded, Sender ID doesn't work. With DKIM it doesn't matter how many hops a message has come through, we can still confer privileges upon it.
What's next for Yahoo in the battle against phishing?
Yahoo has a lot of things cooking. We have some of the smartest computer scientists in the world working on the problems of phishing, spam and fraudulent e-mail in general. With every project we have taken on, we are looking for ways we can apply the solution not just to Yahoo Mail users but to the broader Internet community. We want to eradicate this problem, or at least keep it a small nuisance. We don't have any announcements to make right now. But we are taking to heart our success with DomainKeys by releasing it to open source and then putting it on the IETF standards track. We really hope e-mail authentication becomes de rigor. Once we get to that critical mass, which we are close to, then ISPs like Yahoo and others can start taking action around that. We can make routing decisions which should help reduce spam, phishing and fraudulent e-mail for Yahoo Mail users and for everyone else on the Internet.