Spoofing, a method often used by spammers, is the forging of another person’s or company’s email address to get users to open a message. Phishing is sending an email attempting to trick recipients into giving out personal information, such as credit card numbers or account passwords. The email pretends to be from a legitimate source, such as a user’s bank, credit card company, or online web merchant.
Most phishing attacks come from an email in which the sender’s name in the “from line” has been forged or spoofed. Authentication is predicted to cause a significant reduction in spoofing and phishing attacks because those particular elements of email fraud are identity-based. Therefore, identity authentication will either stop phishing and spoofing, making it easier for consumers to steer clear of them, or make it easier for law enforcement to go after them.
For well-known companies that commonly send email to consumers, such as banks, utilities, remote retailers, and e-commerce services, the benefits of authentication are more profound. For these companies, protecting their users from fraudulent emails translates directly into user protection, user satisfaction, reduced customer care costs, and brand protection and trust. Companies can sign their outgoing emails with DKIM and publish their policies so that ISPs can watch and block messages that claim to come from their domains that are unsigned.
If the company ‘www.example.com’ signs all of its outgoing email with DKIM, Yahoo! can add a filter to its spam protection system that blocks any unsigned or improperly signed messages. This protects tens of millions of example.com’s customers (or prospective customers) from these phishing and spoofing attacks. DKIM would also examine the integrity of the message body.