DKIM (DomainKeys Identified Mail) uses digital signatures to authenticate messages. These signatures allow you, or your email service provider, to verify that a message claiming to be from your bank is really from your bank. Without authentication, if I receive an email saying that my account has been compromised and requesting me to verify my personal details, it's a pretty good bet that I should ignore the message. But if I receive the same message and I can prove to my own satisfaction that it came from my bank, then I should probably pay serious attention.
DKIM can offer this proof, and it has just been published by the Internet Engineering Task Force--the group responsible for technical standards on the Internet--as an official Internet standard.
But just as no one wants to buy a radio if no signal is being transmitted, and no one wants to transmit until someone can hear it, DKIM needs cooperation from both senders and receivers. Senders will drive adoption of DKIM because they have money and their brand reputation at risk.
One way phishers profit is by tricking victims into divulging personal bank account details by impersonating the bank behind that account. This is of huge concern to financial institutions, many of which have already started deploying DKIM. And because DKIM runs on the email servers provided by the enterprise or service provider rather than on the desktops of individual users, it doesn't require upgrading every machine on the network.
Still, a digital signature by itself isn't enough to prove that a message is valid. Phishers will undoubtedly sign mail using domains that they own. Sometimes these domains will be chosen to resemble the names of legitimate institutions.
You can compare authentication to a driver's license, which proves who someone is, but tells you nothing about their safety record; for that you need to know something about their driving history. In the email world, we call this "reputation," which is essential to assessing the value of a message. The next big step to restoring trust in email will be the creation of reputation servers so we can see the "driving history" of the multitude of lesser-known sites.
While DKIM by itself is a valuable technology, to really shine it will need to be used in concert with other technologies, some still in development. But we must start with DKIM.
Email senders should start using DKIM as soon as feasible so that they and their customers can reap the benefits. Email receivers should start verifying DKIM signatures so next-generation antispam and antiphishing tools can leverage that information to deliver better results. And end users should ask their email providers what they are doing to deploy email authentication and restore trust in Internet e-mail.