If you’re an ordinary web user who relies on hosted email services like GMail, the chances are that you don’t see much spam. I use GMail and in the last three months only a couple of spam messages reached my inbox. But, as anyone who hosts email servers knows, the problem is much worse than the average inbox would lead one to believe. Users don’t see any spam because spam filters are very good. In fact, by some estimates, upwards of 70% of emails sent globally are spam — that’s a huge waste of bandwidth and a headache for email hosts.
Most of the time, spammers don’t want you to see where the spam comes from. The actual origin is often a hacked server — when a hacked server is nearing the end of its useful life for hackers, they will often use it for spamming. To prevent recipients from identifying the actual origin and to present a fake origin (like your bank), online criminals will spoof the origin domain.
Domain spoofing is possible because the protocol we use to send email — SMTP — is, by Internet standards, an ancient technology. It was designed back when no one had a clue how huge email would become, and so it has almost no built in security. But because SMTP used by hundreds of thousands of organizations, it’s not easy to upgrade with retroactive security measures; that would break email.
One solution is DKIM, which stands for DomainKeys Identified Mail. DKIM is a method for verifying the origin of an email. Let’s say John — who has the email address firstname.lastname@example.org — sends an email to his friend Eric. With DKIM, John’s email server will embed information signed with its private key in various parts of the email envelope, and most importantly in the DKIM-Signature field. When Eric’s domain receives the message, it can go to fetch the public key of example.com and use it to verify the information included in the message — unless someone has stolen the private certificate, there’s no way the message doesn’t genuinely come from example.com.
If a spammer wanted to spoof a domain that was using DKIM, they would be unable to add the verification data because they haven’t access to the domain’s private certificate, so the recipient domain knows immediately that the email didn’t really come from where it claims and can deal with it appropriately.
DKIM isn’t perfect, and obviously it doesn’t stop spam being sent and received in the first place — for that you’d need ISPs to implement a method to verify that emails travelling over their networks were plausibly from the domains they claim to be — but it does help detect spam. If every domain used DKIM, there would be very little financial incentive for spammers.
InterWorx includes full support for DKIM authenticated email.