DomainKeys Identified Mail is a an email authentication method designed to control spam and phishing. Developed by Yahoo, DKIM is now endorsed by major Internet and email related organizations such as the PGP Corporation, Cisco Systems, and the developers of Sendmail. While other competing email authentication methods have been proposed, such as SenderID and Sender Policy Framework, only DomainKeys Identified Mail is being evaluated as a possible Internet Engineering Task Force standard. Currently, several large email service providers such as Yahoo, Gmail, and AOL utilize DKIM technology in emails sent from their systems.
DomainKeys Identified Mail works by embedding a cryptographic signature in the email header. This signature is a unique product of the email message's contents and the sender's private key. When the email is received at the destination, a DKIM-compliant SMTP server will fetch the supposed sender's public key from DNS records and try to verify the signature. If the signatures match, then this proves that the message did in fact originate from the sender in question. Additionally, this proves that the message had not been altered in transit. Although a failed match does not necessarily indicate spam, it is a good indication of a forged return address or email alteration. Forged return addresses are common among spam and phishing attacks. Non-compliant SMTP servers can simply ignore the DKIM header and process the mail normally.
As with other proposed email authentication techniques, DomainKeys Identified Mail has several drawbacks and disadvantages. As each email received must be checked against the sender's public key, the DNS servers responsible for providing the public keys are vulnerable to DDoS attacks. If an email message is sent to a large group of people, such as a mailing list, then the DNS server may be hit with millions of requests in a small time period. The SMTP server then must either proceed without verification, or delay email delivery until it can be verified. Many such email messages queued for verification could also overflow the spool or cache, resulting in lost data. An additional drawback is the processing power involved in cryptographic parsing of email on a large scale. DomainKeys Identified Mail servers will require much more RAM and a faster processor than a conventional SMTP server. A final drawback of the DKIM method lies in the fact that email messages are in fact often altered slightly in transit. Each mail transfer agent is liable to add a header to the message indicating it's path, and other anti-spam tools such as SpamAssassin may add their own headers or modify the subject header.
Security Terminology Questions