Recently, Software Engineer and Gmail Spam Czar, Brad Taylor announced that Google was taking a hard-line approach to Phishing. Using DKIM and the normal tools that help keep Gmail inboxes clean, Google is moving to stop Phishing related messages from ever making an appearance. Even in your Spam folder.
Google is using DKIM to stop Phishing emails from appearing. (IMG:J.Anderson)
Using PayPal as an example, Taylor explained that Google has always done what it can to stop Phishing messages from making it into your inbox. “Gmail does its best to put a red warning label on phishing messages, but it can be hard for us to know sometimes and we can't be 100% perfect,” he said. This leaves you with few options, and sometimes, rare as it is, you will see Phishing emails in your inbox that slipped past Google’s net.
Asking the question, “Wouldn't it be better if you never saw phishing messages at all, not even in your spam folder?” Taylor went on to explain that since 2004, Google has used and supported various email authentication standards like DKIM (DomainKeys Identified Mail) that flag forged messages. “This is a key tool we use to keep spam out of Gmail inboxes. But these systems can only be effective when high volume senders consistently use them to sign their mail -- if they're sending some mail without signatures, it's harder to tell whether it's phishing or not,” he said.
PayPal and eBay are teaming up with Google, and starting this week, with the help of DKIM, any email that comes from their domain that is not signed will simply be ignored by Google’s servers. Both companies are using DKIM to sign all email that comes out of their respective offices, no matter the location. It is because of this step that Taylor says Google can now stop all forged email from their domains, no DKIM, no delivery.
“We think it's great that PayPal and eBay have taken on the challenge of securing email, and we're pleased to have put our best efforts together to make this work. It's a bold move, but one that will really help fight phishing. Our hope is that this will set a good example for other organizations to follow (yes, it can be done!) and that over time more and more email will become trustworthy.”
However, DKIM is one step; it will only work if companies use it. Also, the security based on DKIM assumes that the email server, which sends the signed email, is secure at the time the email was sent. This proves DKIM is simply one layer of security. If someone was to take over your email systems, then all you are doing is using DKIM to verify your Spam and Phishing messages.
RFC 4871 is also known as DomainKeys Identified Mail (DKIM). It was approved in its draft form on May 32, 2007 by the Internet Engineering Task Force (IETF). DomainKeys started in 2004 at Yahoo, but IBM, Earthlink, Microsoft, Spamhaus, Google, PayPal, and Alt-N all had a hand in getting DKIM to where it is today.
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)