Junked: Is this the end of spam and spoof email?

Spammers, phishers and other internet fraudsters, be warned.

A key internet standards body has given preliminary approval to a powerful technology designed to detect and block fake email messages.

It's called DomainKeys Identified Mail, and it promises to give internet users the best chance so far of staunching the seemingly endless flow of fraudulent junk email.

Cisco Systems, PGP Corporation, Sendmail and Yahoo! are behind the push for DomainKeys, which the companies said in a joint statement will provide "businesses with heightened brand protection by providing message authentication, verification and traceability to help determine whether a message is legitimate".

The draft standard that the Internet Engineering Task Force adopted is more promising than most other anti-spam and anti-phishing technologies because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.

Want more photos?

Click here to browse the full archive of our photo stories.

The way it works is straightforward: if PayPal sends an email notice to customers about their accounts, the company's outgoing mail server will quietly insert a digital signature into the legitimate message. (Because the signature is embedded in the message headers, it's generally not visible to human readers.)

Let's say the recipient has a Yahoo! Mail address. Yahoo!'s mail servers can automatically check PayPal's internet domain name listing to verify that the digital signature is valid and the message truly originated at Paypal.com. Signatures by authorised third parties are permitted as well, which is useful for outsourced email.

If the signature doesn't check out, the message is probably spam - or a phishing attack designed to try to fool someone into divulging their details about their PayPal account. While the DomainKeys standard doesn't actually specify that messages with invalid signatures should be flagged as junk, ISPs are likely to do just that.

All of these steps represent a belated effort to fix a fundamental problem with internet email: it was designed in a far more innocent era and came with little built-in security.

In the long run, DomainKeys is more promising than existing anti-spam and anti-phishing technologies, which rely on techniques such as assembling a "blacklist" of known fraudsters or detecting such messages by trying to identify common characteristics. Increasingly creative counter-attacks by fraudsters - such as inserting image advertisements in the text of messages - have been able to defeat many of these methods.

DomainKeys represents a radical shift in the arms race between phishers, in particular, and internet users. The digital signatures, which use public key cryptography, are viewed as unforgeable.

But the DomainKeys approach does suffer from one serious, short-term problem: it's only effective if both the sender and recipient's mail systems are upgraded to support the standard.

Also, it does not do anything to flag junk email sent by a legitimate company, or identify spam sent from a domain name with a true DomainKeys record. By restricting spammers to a limited set of domain names, however, Yahoo! believes "a persistent reputation profile can be established for that sending domain" which can be updated over time and posted publicly.

Other advocates so far include anti-spam vendors and frequent email senders: AOL, Cox Communications, EarthLink, IBM, IronPort Systems, Trend Micro and VeriSign.

The Internet Engineering Task Force's preliminary approval does make DomainKeys, or DKIM, an official proposed standard. But because it's the only technology that has achieved that status - Microsoft's competing Sender ID idea has not - it has a visible edge.

In a blog posting, Yahoo! engineer Mark Delany said: "Everything hinges on widespread adoption. Now that DKIM is on Standards Track, the hurdle to global adoption has been greatly reduced but not cleared."

While Microsoft's Sender ID program is similar in principle to DomainKeys, its acceptance has been limited because Microsoft initially did not agree to license patents in ways that are compatible with GNU General Public Licence. For its part, Yahoo! has agreed to open up a number of its pending and granted patents for use with DomainKeys.

Declan McCullagh writes for CNET News.com