The IETF (Internet Engineering Task Force) has published specifications for a new email authentication tool to help fight against phishing and spam, opening the way for software vendors and email service providers to find better ways to protect email recipients.

The antiphishing and antispam specifications were announced for DKIM (DomainKeys Identified Mail), a new technology that combines several existing antiphishing and antispam methods to create an improved way to sort and identify legitimate email. The specifications provide details that independent software vendors and email service providers can use to build the protections into their products and services immediately.

Instead of using a traditional IP address to identify the sender of each message, DKIM adds a digital signature associated with the organisation's domain name. That signature is then validated invisibly at the recipient's end. 'White lists' and 'black lists' are then used by the email infrastructure software to validate the reputation of the sender.

"Domain names are far more stable than IP addresses," said Dave Crocker, an IT consultant and contributor to the DKIM project. "Domain names align with an organisation far better than an IP address."


Because it incorporates a digital signature, it allows a piece of email to be identified definitively as somebody's, rather than as an email coming from an IP address that could used by multiple people or a spam bot, Crocker said. "It's a step along the way to regaining trust in email," he added.

The core technologies used in DKIM have been around for years, he said. "We're taking existing pieces and using them together in new ways."