Yahoo Releases Specs for DomainKeys

Five months after proposing it, Yahoo published the technical details of its DomainKeys system for e-mail authentication.

Yahoo filed DomainKeys' technical specifications this week with the Internet Engineering Task Force, which is used to develop Web-wide standards. Yahoo said it would make DomainKeys available as a free technology.

DomainKeys is one of three authentication technologies championed to ensure the true identity of an e-mail sender. Spammers can forge their identity easily under the current e-mail protocol. Microsoft has released its own technology, Caller ID for E-mail, and AOL has thrown its support behind SPF, an open standard.

Publication of DomainKeys' specifications comes as the task force meets this week to consider the three proposed standards.

“It seems to me there's a strong interest among the participating parties to, at a minimum, create interoperability,” said Hans Peter Brondmo, senior vice president at e-mail service provider Digital Impact. “My view is they should lock themselves in a room and mash their heads together until they come up with a single proposal.”

E-mail authentication systems are seen as a crucial step in solving the spam problem. Once an e-mail sender's identity can be verified, e-mail receivers can add reputation systems, like IronPort's Bonded Sender, that would let legitimate senders easily distinguish themselves from spammers.

DomainKeys is a public-private encryption system that operates without a third-party certification agency. With it, each domain assigns e-mail messages a digital signature in the header that contains a private key. Receivers match up the private key with a public key the domain registered with the Internet's Domain Name System. The receiving servers match up the two keys to determine whether an incoming message is valid.

“It is not a magic bullet for spam,” Yahoo's Mark Delany wrote in the Internet Draft submitted to the task force. “However, a strong authentication system such as DomainKeys creates an unimpeachable framework within which comprehensive authorization systems, reputations systems and their ilk can be developed.”

Sendmail, which handles 60 percent of the Internet's e-mail, plans to implement Caller ID and test DomainKeys as part of its free and commercial Message Transfer Agent versions.

Margaret Olson, co-chairwoman of the E-mail Service Provider Coalition's technical committee, said she was impressed with the thoroughness of Yahoo's proposal, particularly the attention paid to third-party mailing situations, including e-mail forwarding and e-mail service providers.

“You can't just say we're going to leave 25 percent of the messages on the Internet out,” she said.

Brondmo said he could envision a scenario where the task force lays out a roadmap of progressively more complex authentication, beginning with SPF, moving to Caller ID and ending in some version of DomainKeys.

“The short of it is they get increasingly more complicated,” he said.

Yahoo admits that DomainKeys will have problems with some situations. Because it authenticates the entire message, it could have trouble in situations where e-mail software alters e-mail text. It also might have difficulty distinguishing e-mail sent by a businessperson using his laptop on the road, since his corporate domain would not match the hotel's servers.

“While DomainKeys does not prescribe any specific action for such e-mail, it is likely that over time such e-mail will be treated as second-class e-mail,” Delany wrote of roving users.

Yahoo made available an alpha version of the software at The company said it is working on a reference implementation that can be plugged into Message Transfer Agents. Yahoo said it would make this plug-in available for free.

Related Posts