At RSA Conference 2011, experts suggested the best way to fight phishing was collaboration with webmail providers and utilizing the SPF and DKIM email authentication technologies. Do you agree with this assessment? What makes SPF and DKIM so effective against phishing? Can they be used together and what is meant by collaboration with webmail providers?
I agree that the best and most effective approach to fighting phishing emails is for everyone to make a combined use of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The problem with these two technologies though is they require almost total adoption by everyone who sends and receives email for them to be effective. This is why the conference concluded that to fight phishing there needs to be collaboration with webmail providers. If we look at how these two technologies work, you will see why.
SPF is an open standard and allows domain owners to publish their mail-sending policy in an SPF record in the domain's DNS zone; for example, it can define which mail servers are used to send mail from that domain. Servers receiving emails can verify that they comply with the email’s domain stated policy. If it comes from an unknown server, it can be considered a fake and be blocked. Because SPF prevents sender address forgery, it provides confidence in the authenticity of the sender address. This paves the way for another method of controlling emails: reputation.
SPF is certainly a powerful tool against spam and phishing emails, but it needs every domain to add an SPF record to its DNS zone, and for mail servers to verify each email it receives. It’s a similar case for DKIM, which lets a message originator -- or anyone handling a message en route to its destination -- validate the domain name identity associated with it through cryptographic authentication.
The combination of these two technologies certainly provides a means to fight spam, but every domain must have an SPF record and use DKIM for it to be truly effective. It also requires every mail server to validate SPF records and systematically sign each email, which does utilize server resources, but doesn’t require manual effort on the part of users. Implementing these checks is not easy. It has taken Google the better part of a year to finish the process. But, until every major mail server is compliant, users will still not to be able to routinely trust every email that arrives in their inbox.
The other problem the industry faces is that it will take a long time to restore user confidence in emails purporting to come from banks and other high-profile institutions. Bank emails are so commonly spoofed that most banks don’t send information about customers’ account to them via email, and they make a point of never using email to contact customers. They will have quite a PR exercise to convince all their customers that now it is safe to open and follow links in emails from them. Despite these hurdles, these technologies combined with collaboration between the Internet's major players will slowly make it harder and harder for would-be phishers and spammers to send fake emails.
This was first published in October 2011