Yahoo Begins Using DomainKeys

Yahoo has started checking incoming e-mail using DomainKeys, its content-signing e-mail authentication technology, the company said Monday.

DomainKeys is an e-mail identity standard aimed at stopping phishing attacks and laying the foundation for spam-fighting measures. Industry analysts peg DomainKeys as a stronger, yet tougher to implement, standard than SPF and Sender ID, authentication standards supported by AOL and Microsoft, respectively.

DomainKeys is an encryption system that assigns e-mail messages a digital signature in the header that contains a private key. Receivers match the private key with a public key that each Internet domain registers with the Domain Name System. Receiving servers match the keys to determine whether an incoming message is valid and whether the content has been changed.

Unlike Sender ID and SPF, which only require senders to publish server records in the DNS, DomainKeys requires senders to configure their servers to “sign” outgoing mail with the domain's private key. DomainKeys, however, is viewed as more sophisticated because it authenticates the entire message, not just the sender.

Also, EarthLink said Monday it would start testing DomainKeys in a few weeks. In June, Yahoo joined Microsoft, AOL and EarthLink in an agreement to test DomainKeys and other authentication technologies, though the ISPs did not commit to a roadmap for a single standard.

“We want to see how DomainKeys works in the real world,” said Miles Libbey, Yahoo Mail's anti-spam product manager. “Right now, we're not applying either a positive or negative impact into the spam filters.”

Microsoft and AOL have proceeded with implementing Sender ID. Microsoft began checking incoming messages to MSN and Hotmail for Sender ID records in October. AOL plans to begin checking inbound e-mail for SPF records by the end of the year.

Though Microsoft and AOL are using different methods to check incoming e-mail, senders need only publish one set of server records in the DNS, said Dave Lewis, director of ISP relations at Digital Impact, a San Mateo, CA, e-mail service provider.

“It's not where it should be at this point,” he said of sender adoption. “Going forward, it's clearly what we need to all be doing.”

Libbey warned that widespread adoption of any e-mail authentication system is unlikely in the short term.

“It's going to be a long time before every single domain on the planet is sending 100 percent authenticated e-mail,” he said.

Lewis said disagreement in the receiving community between open-source advocates and Microsoft over license and patent issues surrounding Sender ID hurt adoption.

“There's been a lot of confusion about what's going on,” he said. “I think the dust has settled now.”

CipherTrust, an e-mail application maker, said last week that a little less than one-third of its customers had adopted SPF in October, up from 22 percent in August. DomainKeys adoption is less widespread. Yahoo only began signing outgoing mail last week while Google did so last month.

“You'll see the high-value identity folks have a lot of incentive to begin using DomainKeys,” Libbey said, referring to businesses like Citibank and eBay that are the most commonly spoofed domains.

The E-mail Service Provider Coalition, which represents 50 large e-mail senders, requires members to publish SPF or Sender ID records. The Direct Marketing Association, which has a more diverse membership of large and small senders, has held member seminars to publicize the need to comply with SPF and Sender ID. The DMA is not yet recommending members implement DomainKeys.

“We are absolutely supportive of cryptographic solutions like DomainKeys,” DMA spokesman Jordan Cohen said. “Our position is that it's clear that the Sender ID framework is something that legitimate e-mail senders, both large and small, could easily and cheaply implement immediately.”

E-mail authentication systems are seen as a crucial step in solving the spam problem. Once an e-mail sender's identity can be verified, e-mail receivers can add reputation systems, like IronPort's Bonded Sender, that would let legitimate senders easily distinguish themselves from spammers.

Related Posts