There is a new weapon that is emerging against the threats of email fraud. Some of the Internets most powerful companies have signed up including Google, Yahoo, Paypal and Aol.

The new tool to fight the problem is called DKIM which is an emerging e-mail authentication standard that is developed by the Internet Engineering Task Force. DKIM stands for DomainKeys Identified Mail and allows an organisation to cryptographically tag (or sign) outgoing email to verify for the recipient that they sent the message.

DKIM will attempt to address one of the biggest threats on the Internet: email fraud. According to a report released by the Authentication and Online Trust Alliance (AOTA) in late January as much as 80% of email from leading brands and banks is spoofed. This was found by analysing more than 100 million emails sent in a five month period from Fortune 500 brands

"It's a critical need that IT professionals look at e-mail authentication as a competitive advantage to protect their brands and their customers from these exploits as well as to protect their employees from spoofed or forged e-mail coming into their networks," says Craig Spiezle, chairman of AOTA.

"DKIM increases the trust with which people can regard their e-mail," says Jim Fenton, a distinguished engineer with Cisco and one of the authors of the standard. "DKIM isn't going to put an end to phishing, but I'm confident that DKIM is going to make it harder for phishing attacks to occur."

DKIM has been under development since 2004 and only now is reaching critical mass. DKIM is expected to be widely deployed this year particularly in the financial service sector and e-commerce firms. Early takers of the of DKIM include Cisco, Bank of America and American Greetings.

"My guess is that probably half of the Fortune 1000 will be DKIM signing in 2008," predicts Greg Olson, director of product management at sendlink, which started shipping a DKIM-compliant e-mail appliance in November.

DKIM put simply allows an organisation or company to insert a signature into outbound emails and associate that signature with its domain name. This signature travels with the email regardless of its route across the Internet. The email recipient can then use this signature to validate that the message is indeed genuine and from the organisations domain name. "Right now, a receiver of a message has no confidence that the message they are receiving is from whom it claims to be from," Olson explains. "DKIM is a way to permit a receiver of a message to validate that a message is, in fact, from whom it claims to be from."

DKIM is the result of a merger of two protocols Domain keys (created by Yahoo) and Identified Internet Mail created by Cisco. The final technical specifications that will form DKIM are being worked on by other message vendors and ISPs. "If I sign all my mail and you get a message that purports to come from me that's not signed, then you can assume that message is not from me," Olson explains. "That policy would be in the DNS record associated with the sender. The SSP is in its 10th draft right now. . . . I hope it will be done soon."

Network vendors say that DKIM is ready for full deployment. In November 2007 20 ISPs and messaging vendors conducted tests of their own DKIM deployments. The results of these tests were that no technical issues were discovered. DKIM is so attractive as ISPs use it to protect their customers against spam and phishing attacks. Email senders are trying to protect their brand name, identities of customers from phishing.

PayPal and eBay are co-operating with yahoo to fight phishing attacks with DKIM. Paypal and eBay are already signing their emails DKIM and yahoo mail will block emails claiming to be from eBay or Paypal that haven’t got the DKIM signature.

"eBay and PayPal have always attracted fraudsters, phishers and all that. Our customers see too much e-mail that isn’t coming from us," says Mike Vergara, director of account protection at PayPal, which is owned by eBay (Read our Q&A with Vergara). "DKIM takes a good industrywide standards approach. We need to add strong authentication to our e-mails so customers can have confidence that it did come from us. And we need to get ISPs to leverage that so we can say to them: If it didn’t come from us, please don’t deliver it."

PayPal is discussing with other ISPs to convince them to block emails from PayPal and eBay that don’t have the DKIM signature. DKIM like anything has its limitations; a minority of companies are signing their outbound messages with DKIM and even fewer still are checking for the DKIM signature on received email. Backers of DKIM will hope that this will be eliminated when banks and more ISPs start to use the system.