DomainKeys

DomainKeys is a proposed anti-spam system designed by Yahoo! for verifying the DNS domain of an E-mail sender and the message integrity.

DomainKeys performs a similar function to SPF in terms of preventing forgery, and is generally expected to be deployed alongside it.

The initial advantage of DomainKeys is to the owner of the E-mail sending domain, in that it prevents forged E-mails from claiming to be from that domain. Note that DomainKeys does not prevent abusive behavior; rather, it allows it to be tracked and detected more easily. However, this ability to prevent forgery also has benefits for recipients of E-mails as well as senders, and so "DomainKey awareness" is likely to be programmed into E-mail software as DomainKeys begin to be deployed widely.

In 2004, Yahoo! started signing all of its outgoing E-mail with DomainKeys headers. Since Yahoo! is a large E-mail account provider, this may be a sufficient incentive alone for software vendors to start supporting DomainKeys in their software. However, the long-term acceptance of DomainKeys is hard to predict.

Contents

1 Advantages 2 How it works 3 Compatibility 4 Use with spam filtering 5 Disadvantages 5.1 Forwarding 5.2 Protocol overhead 6 Patents and licensing 7 See also 8 External links

Advantages

There are two major advantages of this system for the domain owner:

• It allows a great reduction in abuse desk work for DomainKeys-enabled domains if E-mail receivers use the DomainKeys system to automatically drop forged E-mails claiming to be from that domain.
• The domain owner can then focus their abuse team energies on their own users who actually are abusing their use of that domain.

At the same time, there are incentives for other E-mail users to be able to verify DomainKey information:

• It allows the originating domain of an E-mail to be positively identified, allowing domain-based blacklists and whitelists to be more effective. This is also likely to make phishing attacks more easy to detect.
• It allows forged E-mails to be discarded on sight, either by end-user E-mail software (mail user agents), or by ISPs' mail transfer agents.
• It allows abusive domain owners to be tracked more easily.

How it works

The DomainKeys protocol works by performing a secure hash of the contents of a mail message (using the SHA-1 algorithm by default), encrypting the result using a private key (with the RSA algorithm by default) and then encoding the encrypted data using Base64. The resulting string is then added to the email as the first SMTP header field with the key "DomainKey-Signature:". In essence, the process has added a digital signature to the email.

The receiving SMTP server then uses the name of the domain from which the mail originated to perform a DNS lookup; the returned data includes that domain's public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail body that was received, from the point immediately following the "DomainKey-Signature:" header. If the two values match, this proves to a very high degree of confidence that the mail did in fact originate at the purported domain, and has not been tampered with in transit.

Compatibility

Because it is implemented using optional SMTP headers and DNS records, DomainKeys is still backwards-compatible with older E-mail implementations, which simply do not have the extra DNS record, or add the SMTP header into their outbound E-mails. In particular, it is compatible with existing E-mail systems with no cryptographic support.

DomainKeys has also been designed to be compatible with other proposed extensions to the E-mail system, in particular to be compatible with SPF, the S/MIME E-mail standard and DNSSEC. It is also compatible with OpenPGP and GPG.

Use with spam filtering

As DomainKeys becomes widely deployed, the absence of a verifiable digital signature header in an E-mail purporting to be from a domain which has a DomainKeys DNS record is likely to become regarded as proof that that E-mail is a forgery. Thus, E-mails will be able to be divided into three classes:

• valid DomainKey signature: authentic
• invalid or missing DomainKey signature for a domain with the DNS record: forged
• no DNS record or header: unknown status

These values are then likely to be used as input to more general spam filtering algorithms.

Disadvantages

Forwarding

One of the downsides of DomainKeys is that if the message is modified en route by a forwarding mechanism such as a list server, then the domain key signature may no longer be valid and the message may be rejected (if the only modifications en-route involve the addition or modification of headers before the DomainKey-Signature: header, the signature should remain valid; also the mechanism includes features that allow certain limited modifications to be made to headers following DomainKey-Signature and the message body itself without invalidating the signature). To get around this limitation, DomainKeys can be used in combination with another sender authentication technique, such as Sender ID or SPF (note that these mechanisms have their own problems when dealing with forwarding). Yahoo! also suggest that the mailing list itself should re-sign the message itself under these circumstances, thus in effect taking responsibility for the message.

Protocol overhead

DomainKeys requires cryptographic checksums to be generated for each message sent through a mail server, which results in computational overhead not usually required for email delivery. Until recently, this would have been a serious problem. However, as of 2004 computer processors are now fast enough that the cryptographic overhead represents only around 10% of the overall mail-handling load for a typical system.

Patents and licensing

DomainKeys is covered by a U.S. patent owned by Yahoo! Unlike Microsoft's Sender ID system, Yahoo! have released DomainKeys under a royalty-free, nonexclusive, relicensable patent license which is designed to be friendly to open source and free software implementations.

See also

• Email Authentication | | SPF | | Sender ID
• Trusted Email Open Standard
• S/MIME

External links

• http://antispam.yahoo.com/domainkeys
• Yahoo!'s free software reference implementation of DomainKeys
• A brief overview about it (language:Hungarian)