Mountain View, California — Email spam is, of course, a dogging problem, even if the total amount has fallen recently. Now the search engine giant Google is claiming to be the first among major email vendors in responding by providing a digital signature option at no additional cost to its Google Apps for business customers, the technology that is designed to snuff out spam and phishing emails by cryptographically verifying that senders are the entities they claim to be.
The email authentication guidelines, dubbed as DKIM or DomainKeys Identified Mail (DKIM), is available right away from Google Apps and can be activated with a few clicks from the “Advanced Tools” tab by any Google Apps admin, Google Enterprise Product Manager Adam Dawes blogged.
This technology is designed to prevent “tampering” of messages, the widely-used spam technique of sending emails with a bogus “from” address, or one that is real, but not sent by that person. DKIM uses a pair of keys — one in the domain’s DNS records, and one in sent messages — supposed to prevent address spoofing. Email recipients can then configure spam filters to automatically block or allow email confirmed to come from certain domain addresses.
“Today, we mark another gouge in the spam-fighting loop: we are making it possible for all Google Apps customers to sign their outgoing messages with DKIM, so their outgoing messages is less likely to get caught up in recipients’ spam filters,” Dawes wrote. “Google Apps is the first major email platform — including on-premises providers — to provide simple DKIM signing at no extra cost,” said Dawes, in a blog post.
An e-mail signed by its sender with DKIM gets a “signed by” line in Gmail as an assurance it’s authentic. (Credit: Google)
“As more e-mail providers around the globe endorse DKIM signing, spam fighters will have an even more reliable signal to separate unwanted mail from good mail,” he added. “E-mail authentication is an important mechanism to verify senders’ identities, giving users a tool to recognize potential spam messages. In addition, many mail systems can display whether a received message is DKIM-verified, which helps spam filters verify and assess the overall reputation of the sender’s domain: messages from untrusted senders are treated more skeptically than those from good senders.”
The openness of the internet has been instrumental in its worldwide reception, but it also makes it easy for fraudsters to spoof virtually any address they want. Witness the torrent of phishing emails purporting to come from banks, e-commerce sites, and government agencies.
If supported broadly, DKIM could go a long way to improving the email portion of Google Apps. While the service does a better job than many in blocking incoming spam, your reporter has found that mail sent through the Google cloud gets repeatedly caught in his recipients’ spam filters. Remarkably, even the Google-owned Postini filter has trouble determining that email sent over Google Apps is legitimate. The ability to cryptographically prove email came from the service ought to help.
A DKIM FAQ and instructions for its implementation in Google Apps are here and here. If you have set up your domain through Google Apps, the service will automatically handle your DKIM keys. If you have set up your own domain, Google Apps supplies the keys and you must configure them on your own.