The DomainKeys initiative is designed to dramatically reduce spam. In March, Yahoo! submitted a DomainKeys memo to the IETF in order to spur discussion. Yahoo! has been signing its emails with DomainKeys headers since 2004.
The goal? To dramatically reduce spoofing of sender email addresses. How many bogus phishing emails from "PayPal" are sent out each day? How many from Bank of America? There's little question that something needs to about the proliferation of spoofed spam messages.
Just how does DomainKeys work? It relies upon a combination of PKI and DNS. First, a hash is created of the email message contents (using SHA-1 by default). The hash is encrypted using a private-key unique to the sending domain (e.g., "yahoo.com"). The encrypted hash is then converted to ASCII printable characters using base-64. This value is then tacked on to the message headers (under the new SMTP header "DomainKey-Signature").
The receiving server uses the claimed sending domain to perform a DNS lookup. The returned data now would include the domain's public key. The recipient server may now decrypt the hash value and compare it to its own generated hash of the message content to validate the message. This ensures two things: the message truly was sent by the domain that claimed to have sent it; and the message has not been tampered with en route.
DomainKeys is covered by a U.S. patent owned by Yahoo! However, the company has released it under a royalty-free patent license designed to be interoperable with a variety of software implementations including freeware and open-source.
At present, DomainKeys is many things - but one thing it isn't is cheap. BusinessWeek reports:
|...an e-mail security system with DomainKeys for a mass e-mailer costs $500,000, on average, says IronPort. For a big company, that's not much to stymie forged e-mails that can damage reputations and clog up millions of e-mail accounts...|
The costs are sure to diminish as mailers swarm to this open-source-friendly approach.