Professional Documents
Culture Documents
Email spoofing - the forging of another person's or company's email address to get users to trust and open a
message - is one of the biggest challenges facing both the Internet community and anti-spam technologists
today. Without sender authentication, verification, and traceability, email providers can never know for certain
if a message is legitimate or forged and will therefore have to continually make educated guesses on behalf of
their users on what to deliver, what to block, and what to quarantine, in the pursuit of the best possible user
experience.
DomainKeys is a technology proposal that can bring black and white back to this decision process by giving
email providers a mechanism for verifying both the domain of each email sender and the integrity of the
messages sent (i.e,. that they were not altered during transit). And, once the domain can be verified, it can be
compared to the domain used by the sender in the From: field of the message to detect forgeries. If it's a
forgery, then it's spam or fraud, and it can be dropped without impact to the user. If it's not a forgery, then the
domain is known, and a persistent reputation profile can be established for that sending domain that can be
tied into anti-spam policy systems, shared between service providers, and even exposed to the user.
For well-known companies that commonly send transactional email to consumers, such as banks, utilities,
and ecommerce services, the benefits of verification are more profound, as it can help them protect their
users from "phishing attacks" - the fraudulent solicitation for account information, such as credit card numbers
and passwords, by impersonating the domain and email content of a company to which users have entrusted
the storage of these data. For these companies, protecting their users from fraud emails translates directly
into user protection, user satisfaction, reduced customer care costs, and brand protection.
For consumers, such as Yahoo! Mail users or a grandparent accessing email through a small mid-western
ISP, industry support for sender authentication technologies will mean that they can start trusting email again,
and it can resume its role as one of the most powerful communication tools of our times.
Reference Implementation
In addition to the Internet-Draft, Yahoo! has developed a reference implementation for DomainKeys that can
be plugged into Message Transfer Agents (MTAs), such as qmail. A version of this software has been
released and is available at http://domainkeys.sourceforge.net/. Additionally, Yahoo! is working with Sendmail
to develop a DomainKey implementation for their popular MTA (both the commercial and freeware versions).
In fact, Sendmail, Inc. has released an open source implementation of the Yahoo! DomainKeys specification
for testing on the Internet and is actively seeking participants and feedback for this Pilot Program.
1
How it Works - Sending Servers
There are two steps to signing an email with DomainKeys:
1. Set up: The domain owner (typically the team running the email systems
within a company or service provider) generates a public/private key pair to use for
signing all outgoing messages (multiple key pairs are allowed). The public key is
published in DNS, and the private key is made available to their DomainKey-
enabled outbound email servers. This is step "A" in the diagram to the right.
2. Signing: When each email is sent by an authorized end-user within the
domain, the DomainKey-enabled email system automatically uses the stored
private key to generate a digital signature of the message. This signature is then
pre-pended as a header to the email, and the email is sent on to the target
recipient's mail server. This is step "B" in the diagram to the right.
In general, Yahoo! expects that DomainKeys will be verified by the receiving email servers. However, end-
user mail clients could also be modified to verify signatures and take action on the results.
2
How can I send you feedback?
Does DomainKeys require signing of the public key by a Certificate Authority (CA)?
DomainKeys does not require a CA. Much like a trusted Notary Public, Certificate Authorities are used in
public/private key systems to sign, or "endorse," public keys so that the external users of public keys can
know that the public keys they receive are truly owned by the people who sent them. Since DomainKeys
leverages DNS as the public key distribution system, and since only a domain owner can publish to their
DNS, external users of DomainKeys know that the public key they pull is truly for that domain. The CA is not
needed to verify the owner of the public key - the presence in that domain's DNS is the verification. However,
it is possible that Certificate Authorities may become a valuable addition to the DomainKeys solution to add
an even greater level of security and trust.
Back to Questions
4
Which mail transfer agents (MTAs) support DomainKeys?
Sendmail has released a milter implementation for both the commercial and freeware versions of their MTA. A
Qmail patch, an Exim version as well as a qpsmtpd plugin are also available. CERN, the creators of the
WWW has released a C# library for use in MS Exchange 2003. Port 25's PowerMTA, Etype.net's acSMTP,
ActivSoftware's XMServer, OmniTI's Ecelerity, StrongMail, and Alt-N Technology's MDaemon MTA for
Windows all have DomainKey versions of their software. Finally, Yahoo! has released an open source
reference implementation for DomainKeys that can be plugged into other MTAs.
Back to Questions
I don't use my domain's SMTP server to send email. How do I use DomainKeys?
DomainKeys relies on the domain administrator to authorize the use of the domain in an email. If you can not
use the domain's authorized SMTP server because of port 25 blocking, you have a number of options.
You should encourage your domain to accept submission services on port 587. Your domain
administrator should try to control authorization of the domain. Giving users a path to submit mail will help do
this. Yahoo! Mail recently began offering a submission server on port 587.
You may be able to convince the domain administrator to grant you a user specific key. With a
DomainKey, it should be possible to sign your messages using your mail client or any submission server. In
fact, you could ask your submission service if you could give them a private key to use to sign your domain's
mail.
You could consider using other headers to convey your identity. For instance, the Reply-to: header
allows a recipient's mail client to choose an address to which replies should be sent. The Sender: header
defines the address that injects the message into the SMTP stream. You might consider sending your
message From: your domain, with the Sender: header set to the address of your submission service. Be
aware however, that this strategy may be viewed suspiciously by anti-spam filters, as it may become a tactic
for spammers and phishers.
Finally, you could choose to send unauthenticated mail. While this will not be a good long term
strategy, it will certainly take quite a while before the vast majority of Internet email is authenticated. If you
choose this path, you should carefully monitor the amount of authenticated mail over time to ensure that this
strategy does not impact the deliverability of your email.