DomainKeys

Recent news has YAHOO and eBay (among many others, I'm sure) announcing that they will now use DomainKeys to counter phishing and other such scams.

DomainKeys, a technology developed by YAHOO, is based on PKI. When a mail server implements DK technology, all of its validated outgoing messages are signed by the private key part of the public-private keypair, and the public key lives on its DNS.

The received, if DK-aware, will check the DNS, extract the public key and then validate the message as being that from the sender. If the keys do not match or if the DNS does not have the keys then the message can be dropped. Combined with whitelists, and maybe other technologies such as SPF, CSV etc, it will be possible to cut spam.

It is always possible that spammers will sign their messages using DK, but then they cannot hide themselves and can be easily traced. On the other hand if they do not sign their message then it's likely their messages can be dropped (assuming all mailservers/ISPs go to DK eventually).

DKt is backward compatible, so it won't break existing systems. One other thing that DK ensures - other than non-repudiation - is integrity. That's because the message body is signed, and if the receiver detects that the message has changed (by comapring the hash *of* the message to the hash *in* the message header) it can flag/drop it.

There are some concerns with DK -- it won't stop SPAM, it will simply help out in determining the sender of the SPAM. Secondly, it can exploited to create message reply abuse. And that can damage the reputation of a valid sender. That's where technologies such as SPF can help.

In any case, this is a good beginning and much more publicity is needed for this nearly 3-year-old technology.

Be safe!