|
DomainKeys is an e-mail authentication system designed to verify the DNS domain of an E-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail, or DKIM. This merged specification is the basis for an IETF Working Group which plans to guide the specification towards becoming an IETF standard. A domain name is the unique name of a computer on the Internet that distinguishes it from the other systems on the network. ...
Wikipedia does not yet have an article with this exact name. ...
In telecommunication, the term data integrity has the following meanings: The condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. ...
DomainKeys is a proposed email authentication system designed by Mark Delany of Yahoo! for verifying the DNS domain of an E-mail sender and the message integrity. ...
The Internet Engineering Task Force (IETF) is charged with developing and promoting Internet standards. ...
Overview
DomainKeys is a method for E-mail authentication. Unlike some other methods it offers almost end-to-end integrity from a signing to a verifying Mail transfer agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. Ensuring a valid identity on an e-mail has become a vital first step in stopping spam, forgery, fraud, and even more serious crimes. ...
A mail transfer agent or MTA (also called a mail server, or a mail exchange server in the context of the Domain Name System) is a computer program or software agent that transfers electronic mail messages from one computer to another. ...
DomainKeys is independent of Simple Mail Transfer Protocol (SMTP) routing aspects, it operates on the RFC 2822 message, the transported mail data, header and body, not the SMTP envelope defined in RFC 2821. Simple Mail Transfer Protocol (SMTP) is the de facto standard for email transmission across the Internet. ...
Note that DomainKeys does not prevent abusive behavior; rather, it allows it to be tracked and detected more easily. This ability to prevent some forgery also has benefits for recipients of E-mails as well as senders, and "DomainKey awareness" is programmed into some E-mail software.
Since 2004, Yahoo! has signed all of its outgoing E-mail with DomainKeys and is verifying all incoming mail. As of 2005, Yahoo! reports that the number of DomainKeys-verified e-mail they receive exceeds 300 million messages per day. It has been suggested that Yahoo! Photos be merged into this article or section. ...
How it works The DomainKeys protocol works by performing a secure hash of the contents of a mail message (using the SHA-1 algorithm by default), encrypting the result using a private key (with the RSA algorithm by default) and then encoding the encrypted data using Base64. The resulting string is then added to the e-mail as the first RFC 2822 header field with the name "DomainKey-Signature:". In essence, the process has added a digital signature to the e-mail. In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. ...
The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions. ...
...
In cryptography, RSA is an algorithm for public-key encryption. ...
Base 64 literally means a positional numbering system using a base of 64. ...
RFC 2822 is an IETF Request for Comments document, released in April 2001 defining the format of SMTP email. ...
Digital signature (or public-key digital signature) is a type of method for authenticating digital information analogous to ordinary physical signatures on paper, but implemented using techniques from the field of public-key cryptography. ...
The receiving SMTP server then uses the name of the domain from which the mail originated, the string _domainkey, and a selector from the header to perform a DNS lookup; the returned data includes that domain's public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail body that was received, from the point immediately following the "DomainKey-Signature:" header. If the two values match, this cryptographically proves that the mail did in fact originate at the purported domain, and has not been tampered with in transit. Simple Mail Transfer Protocol (SMTP) is the de facto standard for email transmission across the Internet. ...
It has been suggested that Domain name be merged into this article or section. ...
PKC, see PKC (disambiguation) Public-key cryptography is a form of modern cryptography which allows users to communicate securely without previously agreeing on a shared secret key. ...
Development DomainKeys was designed by Mark Delany of Yahoo!. Many other people including Russ Nelson of qmail, Eric Allman of sendmail, and John R. Levine of the ASRG provided comments and wrote prototype implementations. It has been suggested that Yahoo! Photos be merged into this article or section. ...
Russ Nelson (born 1958) is a computer programmer, who is a founding board member of the Open Source Initiative. ...
qmail is a mail transfer agent that runs on Unix. ...
Eric Allman (born 1959) is a computer programmer. ...
Sendmail is a mail transfer agent (MTA) that is a well known project of the open source and Unix communities and is distributed both as free software and proprietary software. ...
John R. Levine is an Internet consultant. ...
The Anti-Spam Research Group or ASRG is a research group within the IRTF dedicated to research into curbing spam on an Internet-wide level. ...
DomainKeys is covered by U.S. Patent 6,986,049 assigned to Yahoo!. Yahoo! have released DomainKeys under a dual license scheme. The traditional corporate oriented royalty-free, nonexclusive, relicensable patent license which is designed to be friendly to open source and free software implementations and under GPL 2.0 for the purpose of the DKIM IETF Working Group. Open source refers to projects that are open to the public and which draw on other projects that are freely available to the general public. ...
Free software, as defined by the Free Software Foundation, is software which can be used, copied, studied, modified and redistributed without restriction. ...
DomainKeys is a proposed email authentication system designed by Mark Delany of Yahoo! for verifying the DNS domain of an E-mail sender and the message integrity. ...
The Internet Engineering Task Force (IETF) is charged with developing and promoting Internet standards. ...
Identified Internet Mail, on which DKIM was also based, was proposed by Jim Fenton and Michael Thomas of Cisco. Cisco Systems, Inc. ...
Advantages There are three primary advantages of this system for the domain owner: - It allows the originating domain of an E-mail to be positively identified, allowing domain-based blacklists and whitelists to be more effective. This is also likely to make phishing attacks more easy to detect.
- It allows forged E-mails to be discarded on sight, either by end-user E-mail software (mail user agents), or by ISPs' mail transfer agents.
- It allows abusive domain owners to be tracked more easily.
There are some incentives for other E-mail users to be able to verify DomainKey information: This phishing attempt, disguised as an official email from a bank, attempts to trick the banks members into giving away their account information by confirming it at the phishers linked website. ...
An email client (or mail user agent [MUA]) is a computer program that is used to read and send email. ...
A mail transfer agent or MTA (also called a mail server, or a mail exchange server in the context of the Domain Name System) is a computer program or software agent that transfers electronic mail messages from one computer to another. ...
- It allows a great reduction in abuse desk work for DomainKeys-enabled domains if E-mail receivers use the DomainKeys system to automatically drop forged E-mails claiming to be from that domain.
- The domain owner can then focus their abuse team energies on their own users who actually are abusing their use of that domain.
Use with spam filtering With DomainKeys, the absence of a verifiable digital signature header in an E-mail purporting to be from a domain which has a DomainKeys DNS record may indicate that that E-mail is a forgery. Thus, E-mails may be divided into three classes: - valid DomainKey signature: authentic
- invalid or missing DomainKey signature for a domain with the DNS record: usually forged
- no DNS record or header: unknown status
These values can be used as input to more general spam filtering algorithms. A mail filter is a piece of software which takes an input of an e-mail message. ...
Compatibility Because it is implemented using optional RFC 2822 headers and DNS records, DomainKeys is backwards-compatible with the existing E-mail infrastructure. In particular, it is transparent to existing E-mail systems with no DomainKeys support. RFC 2822 is an IETF Request for Comments document, released in April 2001 defining the format of SMTP email. ...
DomainKeys has also been designed to be compatible with other proposed extensions to the E-mail system, in particular to be compatible with SPF, the S/MIME E-mail standard and DNSSEC. It is also compatible with the OpenPGP standard. In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). ...
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. S/MIME is similar to — but incompatible with — OpenPGP and the older PGP/MIME. S/MIME is the IETF enhancement of the PEM (Privacy Enhanced Mail) specifications of...
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System (DNS) used on Internet Protocol networks. ...
An Open Specification for Pretty Good Privacy (openpgp) OpenPGP is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. ...
Disadvantages DomainKeys or DKIM signatures do not encompass the message envelope, which holds the return-path and message recipients. A concern for any cryptographic solution would be message replay abuse, which bypasses techniques that currently limit the level of abuse from larger domains. For a comparison of different methods addressing also this problem see E-mail authentication. Ensuring a valid identity on an e-mail has become a vital first step in stopping spam, forgery, fraud, and even more serious crimes. ...
Content modification in-transit One of the problems with DomainKeys is that if the message is significantly modified en route by a forwarding mechanism such as a list server, then the signature may no longer be valid and the message may be rejected. If the only modifications en-route involve the addition or modification of headers before the DomainKey-Signature: header, the signature should remain valid; also the mechanism includes features that allow certain limited modifications to be made to headers and the message body without invalidating the signature.
Some suggest that this limitation could be addressed by combining DomainKeys with SPF, because SPF is immune to modifications of the e-mail data, and mailing lists typically use their own SMTP error address aka Return-Path. In short SPF works without problems where DomainKeys might run into difficulties, and vice versa. In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). ...
Mailing Lists that add or change content also effectively invalidate DomainKeys signatures. Yahoo! suggested that the mailing list should re-sign the message itself under these circumstances, thus in effect taking responsibility for the message.
Protocol overhead DomainKeys requires cryptographic checksums to be generated for each message sent through a mail server, which results in computational overhead not usually required for e-mail delivery. Until recently, this would have been a serious problem. However, as of 2004 computer processors are now fast enough that the cryptographic overhead represents only around 10% of the overall mail-handling load for a typical system. 2004 is a leap year starting on Thursday of the Gregorian calendar. ...
See also Ensuring a valid identity on an e-mail has become a vital first step in stopping spam, forgery, fraud, and even more serious crimes. ...
In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). ...
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. S/MIME is similar to — but incompatible with — OpenPGP and the older PGP/MIME. S/MIME is the IETF enhancement of the PEM (Privacy Enhanced Mail) specifications of...
An Open Specification for Pretty Good Privacy (openpgp) OpenPGP is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. ...
External links | 
Feeds |
Contact