Leonardo DiCaprio: Actor, activist… spam fighter?
In Christopher Nolan’s mind-boggling blockbuster “Inception”, Leonardo DiCaprio’s character, Dom Cobb, spins a top (i.e., his personal totem) to determine whether he’s in the real world or the dream world. If the top doesn’t stop spinning, it means he’s in a dream.
Strangely enough, this concept of a totem got me thinking about email.
As shown in my previous post, spammers have gotten very good at crafting legitimate-looking messages that appear to be the real thing, but are as fake as the Rolexes they peddle. They’ll spoof just about anyone or any brand to lure you into opening and clicking on their emails. With that said, wouldn’t it be great if we had a totem that could tell us whether a message is authentic or forged? Thankfully, we do have such a totem, sort of. Two of them, in fact.
- DomainKeys Identified Mail (aka DKIM) makes use of digital signatures in an email to identify authentic messages. It’s like having a virtual, verifiable fingerprint in every email that identifies it as a valid message from a domain. You can read more about DKIM at dkim.org.
- Sender Policy Framework (aka SPF) is a method of identifying authorized sources of messages for a domain. As a rough analogy, it’s akin to knowing all the possible phone numbers from which your bank can call you, so if you get a call from someone with an unknown number claiming to be from your bank, you know it’s suspicious. More information about SPF is available at openspf.org.
We’ve been utilizing both DKIM authentication and SPF validation on all messages sent to our users. These two technologies give us the ability to verify if an email came from a valid source for a particular domain—that is if the email sender utilizes these technologies as well. Remember that forged Angelina Jolie Facebook invite I received in my spam folder in my previous post? Since Facebook uses DKIM and SPF on their email-sending domains (facebookmail.com and facebook.com), we can essentially prevent the delivery of such forged messages since they will fail these email authentication checks. Out of sight, out of mind.
As we continue to enhance our implementation of these anti-spoofing techniques, and through our collaboration with partners who specialize in these technologies, we are helping to broaden the adoption of email authentication across financial institutions, social networks, shopping sites, and others. Our ultimate goal is to reject messages that are spoofing legitimate brands and trusted domains so you don’t even get to see them in your mailbox.
This is just one initiative in 2011 that we in the anti-spam team are really excited about. We’re also working on other technological measures to bring trust and security to your email experience. Suffice to say, there won’t be any sleeping on the job as we rid your inboxes of spam. Take that, Dom Cobb!