DomainKeys is a proposed email authentication system designed by Mark Delany of Yahoo! for verifying the DNS domain of an E-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail proposed by Jim Fenton of Cisco to create an enhanced protocol called DomainKeys Identified Mail, or DKIM. This merged specification is the basis for an IETF Working Group which planned to guide the specification towards becoming an IETF standard. Yahoo! headquarters in Sunnyvale Security checkpoint at entrance to headquarters parking lot. ... A domain name is the unique name of a computer on the Internet that distinguishes it from the other systems on the network. ... Wikipedia does not yet have an article with this exact name. ... In telecommunication, the term data integrity has the following meanings: The condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. ... Cisco Systems, Inc. ... The Internet Engineering Task Force (IETF) is charged with developing and promoting Internet standards. ...

DomainKeys performs a similar function to SPF in terms of preventing forgery, and is generally expected to be deployed alongside it. While DomainKeys is more complex than SPF, it prevents forgery in a wider range of email deployment scenarios. In particular, email that is forwarded through external relays or forwarding services such as alumni (like alumni.mit.edu) or professional associations (like acm.org) can still be verified with DomainKeys whereas such email cannot be verified with SPF. In addition, DomainKeys verification also ensures the content of the email has not been modified whereas SPF is unaware of any content changes - malicious or otherwise. This article needs to be cleaned up to conform to a higher standard of quality. ...

The claimed advantage of DomainKeys is to the owner of the E-mail sending domain, in that it prevents forged E-mails from claiming to be from that domain. Note that DomainKeys does not prevent abusive behavior; rather, it allows it to be tracked and detected more easily. Proponents claim that this ability to prevent forgery also has benefits for recipients of E-mails as well as senders, and so "DomainKey awareness" is programmed into some E-mail software.

Since 2004, Yahoo! has signed all of its outgoing E-mail with DomainKeys and is verifying all incoming mail. Since Yahoo! is a large E-mail account provider, this was thought to be a sufficient incentive alone for software vendors to start supporting DomainKeys in their software. As of 2005, Yahoo! reports that the the amount of DomainKeys-verified email they receive exceeds 300 million messages per day. However, the long-term acceptance of DomainKeys is still hard to predict. 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ... 2005 (MMV) is a common year starting on Saturday of the Gregorian calendar. ...

Advantages

There are three primary advantages of this system for the domain owner:

• It allows the originating domain of an E-mail to be positively identified, allowing domain-based blacklists and whitelists to be more effective. This is also likely to make phishing attacks more easy to detect.
• It allows forged E-mails to be discarded on sight, either by end-user E-mail software (mail user agents), or by ISPs' mail transfer agents.
• It allows abusive domain owners to be tracked more easily.

There are some incentives for other E-mail users to be able to verify DomainKey information: This phishing attempt, disguised as an official email from Charter One Bank, attempts to trick users into giving away their account information by confirming it at the phishers linked website. ... An email client (or mail user agent [MUA]) is a computer program that is used to read and send email. ... A mail transfer agent or MTA (also called a mail server, or a mail exchange server in the context of the Domain Name System) is a computer program or software agent that transfers electronic mail messages from one computer to another. ...

• It allows a great reduction in abuse desk work for DomainKeys-enabled domains if E-mail receivers use the DomainKeys system to automatically drop forged E-mails claiming to be from that domain.
• The domain owner can then focus their abuse team energies on their own users who actually are abusing their use of that domain.

How it works

The DomainKeys protocol works by performing a secure hash of the contents of a mail message (using the SHA-1 algorithm by default), encrypting the result using a private key (with the RSA algorithm by default) and then encoding the encrypted data using Base64. The resulting string is then added to the email as the first RFC 2822 header field with the name "DomainKey-Signature:". In essence, the process has added a digital signature to the email. In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. ... The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). ... ... In cryptography, RSA is an algorithm for public key encryption. ... Base 64 literally means a positional numbering system using a base of 64. ... RFC 2822 is an IETF Request for Comments document, released in April 2001 defining the format of SMTP email. ... Digital signature (or public-key digital signature) is a type of method for authenticating digital information analogous to ordinary physical signatures on paper, but implemented using techniques from the field of public-key cryptography. ...

The receiving SMTP server then uses the name of the domain from which the mail originated, the string _domainkey, and a selector from the header to perform a DNS lookup; the returned data includes that domain's public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail body that was received, from the point immediately following the "DomainKey-Signature:" header. If the two values match, this cryptographically proves that the mail did in fact originate at the purported domain, and has not been tampered with in transit. Simple Mail Transfer Protocol (SMTP) is the de facto standard for email transmission across the Internet. ... The Domain Name System or DNS is a system that stores information about host names and domain names in a kind of distributed database on networks, such as the Internet. ... PKC, see PKC (disambiguation) Public-key cryptography is a form of modern cryptography which allows users to communicate securely without previously agreeing on a shared secret key. ...

Compatibility

Because it is implemented using optional RFC 2822 headers and DNS records, DomainKeys is backwards-compatible with the existing E-mail infrastructure. In particular, it is transparent to existing E-mail systems with no DomainKeys support. RFC 2822 is an IETF Request for Comments document, released in April 2001 defining the format of SMTP email. ...

DomainKeys has also been designed to be compatible with other proposed extensions to the E-mail system, in particular to be compatible with SPF, the S/MIME E-mail standard and DNSSEC. It is also compatible with the OpenPGP standard. SPF is an acronym for: Singapore Police Force sun protection factor (of sunscreen) South Pacific Forum Sender Permitted From or Sender Policy Framework Sygate Personal Firewall or Sygate Personal Firewall Pro Super Plastic Forming (SPF) Specific pathogen-free animals Single point of failure in systems Mixed softwood lumber coming from... S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. S/MIME is similar to — but incompatible with — OpenPGP and the older PGP/MIME. S/MIME is the IETF enhancement of the PEM (Privacy Enhanced Mail) specifications of... DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System (DNS) used on Internet Protocol networks. ... An Open Specification for Pretty Good Privacy (openpgp) OpenPGP is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. ...

Use with spam filtering

With DomainKeys, the absence of a verifiable digital signature header in an E-mail purporting to be from a domain which has a DomainKeys DNS record may indicate that that E-mail is a forgery. Thus, E-mails may be divided into three classes:

• valid DomainKey signature: authentic
• invalid or missing DomainKey signature for a domain with the DNS record: usually forged
• no DNS record or header: unknown status

These values can be used as input to more general spam filtering algorithms. A mail filter is a piece of software which takes an input of an email message. ...

Disadvantages

Content modification in-transit

One of the problems with DomainKeys is that if the message is significantly modified en route by a forwarding mechanism such as a list server, then the signature may no longer be valid and the message may be rejected. If the only modifications en-route involve the addition or modification of headers before the DomainKey-Signature: header, the signature should remain valid; also the mechanism includes features that allow certain limited modifications to be made to headers and the message body without invalidating the signature.

While some suggest that this limitation can be addressed by combining DomainKeys with SPF, the fact is that SPF offers no help in the forwarding scenario which is where modifications are most likely. SPF is an acronym for: Singapore Police Force sun protection factor (of sunscreen) South Pacific Forum Sender Permitted From or Sender Policy Framework Sygate Personal Firewall or Sygate Personal Firewall Pro Super Plastic Forming (SPF) Specific pathogen-free animals Single point of failure in systems Mixed softwood lumber coming from... SPF is an acronym for: Singapore Police Force sun protection factor (of sunscreen) South Pacific Forum Sender Permitted From or Sender Policy Framework Sygate Personal Firewall or Sygate Personal Firewall Pro Super Plastic Forming (SPF) Specific pathogen-free animals Single point of failure in systems Mixed softwood lumber coming from...

Mailing Lists that add or change content also effectively invalidate DomainKeys signatures. Yahoo! suggested that the mailing list should re-sign the message itself under these circumstances, thus in effect taking responsibility for the message.

Protocol overhead

DomainKeys requires cryptographic checksums to be generated for each message sent through a mail server, which results in computational overhead not usually required for email delivery. Until recently, this would have been a serious problem. However, as of 2004 computer processors are now fast enough that the cryptographic overhead represents only around 10% of the overall mail-handling load for a typical system. 2004 is a leap year starting on Thursday of the Gregorian calendar. ...

Patents and licensing

DomainKeys is covered by a U.S. patent application assigned to Yahoo! Yahoo! have released DomainKeys under a royalty-free, nonexclusive, relicensable patent license which is designed to be friendly to open source and free software implementations. A patent is a set of exclusive rights granted by a state to a person for a fixed period of time in exchange for the regulated, public disclosure of certain details of a device, method, process or composition of matter (substance) (known as an invention) which is new, inventive and... Open source refers to projects that are open to the public and which draw on other projects that are freely available to the general public. ... Free software, as defined by the Free Software Foundation, is software which can be used, copied, studied, modified and redistributed without restriction. ...

See also

• Email Authentication | | SPF | | Sender ID
• Trusted Email Open Standard
• S/MIME

Ensuring a valid identity on an email has become a vital first step in stopping spam, forgery, fraud, and even more serious crimes. ... This article needs to be cleaned up to conform to a higher standard of quality. ... Sender ID is an anti-spam proposal from the MARID IETF working group, joining Sender Policy Framework and Caller ID. The Sender ID proposal is currently the subject of controversy regarding intellectual property and licensing issues: Microsoft holds patents on key parts of Sender ID and licenses those patents under... Categories: Wikipedia cleanup | Substubs | Spam filtering ... S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. S/MIME is similar to — but incompatible with — OpenPGP and the older PGP/MIME. S/MIME is the IETF enhancement of the PEM (Privacy Enhanced Mail) specifications of...

External links

• http://antispam.yahoo.com/domainkeys
• Yahoo!'s free software reference implementation of DomainKeys
• A brief overview about it (in Hungarian)