Yahoo! has just published their DomainKeys™ proposal to the IETF and it looks to be a promising way to combat SPAM, spoofed & fraudulent E-Mails which requires no changes to existing protocols.
Essentially, a public/private key pair will be generated by mail servers. The private key will be used to sign any outgoing messages and the public key will be published as part of that domain’s DNS record. Together, they will be used to confirm the validity of the E-Mail and there are also additional checks to ensure signed E-Mails have not been tampered with during transit.
- How will this help stop spam?
- Several ways. First, it can allow receiving companies to drop or quarantine unsigned email that comes from domains that are known to always sign their emails with DomainKeys, thus impacting spam and phishing attacks. Second, the ability to verify sender domain will allow email service providers to begin to build reputation databases that can be shared with the community and also applied to spam policy. For example, one ISP could share their “spam vs. legit email ratio” for the domain www.example.com with other ISPs that may not yet have built up information about the credibility and “spamminess” of email coming from www.example.com. Last, by eliminating forged From: addresses, we can bring server-level traceability back to email (not user-level - we believe that should be a policy of the provider and the choice of the user). Spammers don’t want to be traced, so they will be forced to only spam companies that aren’t using verification solutions.
- How will this help stop fraud/phishing attacks?
- Companies that are susceptible to phishing attacks can sign all of their outgoing emails with DomainKeys and then tell the world this policy so that email service providers can watch and drop any messages that claim to come from their domain that are unsigned. For example, if the company www.example.com signs all of its outgoing email with DomainKeys, Yahoo! can add a filter to its SpamGuard system that drops any unsigned or improperly signed messages claiming to come from the domain www.example.com, thus protecting tens of millions of example.com’s customers or prospective customers from these phishing attacks.
The latter is certainly something I look forward to as since the MyDoom virus and similar viral epidemics I’m certainly growing rather tired of the extra strain it’s put on my inbox. Good news is that Yahoo! will have a reference implimentation of DomainKeys™ for my MTA of choice, qmail. :D
Props to Matthew Mullenweg, Simon Wilson & Jeremy Zawodny for the heads up regarding Yahoo!’s publication.