Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Domain Keys Explained

Via Jeremy Zawodny,, Yahoo’s Anti-Spam Resource Center have published an explanation of their proposed Domain Keys spam fighting technique. At first glance it looks very promising. There’s no centralised authority, no requirements for changes to existing protocols and the central concept is extremely easy to understand. Essentially, mail servers generate a public/private key pair and sign outgoing messages with the private key, while publishing the public key as part of their DNS record. Because only they can publish to their public key in this way the signature can be used to confirm that the sender of the email has not been spoofed. The presence or lack of a signature can be used as part of the process of identifying spam.

The FAQ covers all the bases I could think of, and explains how Domain Keys can help fight phishing attacks as well.

Posted 19th May 2004 at 2:04 am

This is Domain Keys Explained by Simon Willison, posted on 19th May 2004.

View blog reactions

Next: TBL on TLDs

Previous: Atom discussion minutes

10 comments

  1. And like Photo Matt says, the DomainKeys page is styled entirely with CSS. Try the disable stylesheets bookmarklet on it. Very nice.

    Micah - 19th May 2004 02:59 - #

  2. It's about time too. Now some of the onus of spam preventation can be placed on the ISPs. They have to implement this, or customers are going to walk! Reading the details of the technique, one can't help but admire its simplicity. Wonderful stuff.

    DarkBlue - 19th May 2004 08:03 - #

  3. Although clever, this would appear to be trivially vulnerable to DNS spoofing.

    If I can successfully inject my "own" domain key record into a recipient's cache, I can send all the spam I want and claim it was from you. Even better, your legitimate mail will fail, or get marked as spam.

    Karl Ramm - 19th May 2004 15:16 - #

  4. I wonder why they are using the IETF rather than the W3C for a standards body?

    Is the IETF a more appropriate body for this type of technology?

    AlastairC - 19th May 2004 20:28 - #

  5. I completly agree with you DarkBlue:

    They have to implement this, or customers are going to walk!

    I was managing about 20 domains for our clients and over time they all started coming to me with more and more spam complaints. They were all hosted at Interland at the time, but after all the gripes I ended up walking from Interland and going with a different host and then outsourcing the mail to an email security/spam filtering company, I ended up choosing Sentinare for their spam filtering. So long Interland... your customers were fed up!

    Nelson.B. - 19th May 2004 22:03 - #

  6. """Because only they can publish to their public key in this way the signature can be used to confirm that the sender of the email has not been spoofed."""

    The Sender Policy Framework (SPF) seeks also to verify the sender of the email, by publishing a record in DNS saying "this server is authorised to send email from *@fred-bloggs.com".

    Both of these systems have the requirement that all your users have to send through an authorised server, which means travelling users need access from outside; who knows what it will do to ISP mail servers, many of which currently allow open relaying to all with one of their dialup accounts.

    They also rely heavily on mass-adoption before they will become really useful. Which could be a problem as there's more than one approach to the problem...

    sfb - 19th May 2004 22:31 - #

  7. AlastairC :

    """Is the IETF a more appropriate body for this type of technology?"""

    Yes, it is.

    IETF are the ones that publish the diverse (and numerous) RFC that defined HTTP, SMTP, POP, etc. That kind of standardisation is done at their "level". The W3C is about the Web "only" (since the WWW is a laaaarge domain).

    BenC - 21st May 2004 14:19 - #

  8. Wouldn't Domain Keys present an problem for user who use their ISP's SMTP server to send mail from the account on annother service?

    Perhaps I own a domain name and my web hosting package includes email accounts but no SMTP server. Right now it's easy enough to retrieve the mail from the web host using IMAP or POP and send mail using my ISP's SMTP server. If Domain Keys were implemented on my ISP's SMTP, suddenly my mail looks like spam because the domain name in example@mydomain.com doesn't match ispdomain.com. I think SMTP is outdated and needs to be replaced; the Domain Keys bandaid wont fix it.

    David Robarts - 23rd May 2004 22:56 - #

  9. i am non english user but this subjecyt is very interesting to me. thank You.

    Turystyka - 5th July 2004 15:05 - #

  10. Also, Yahoo, Cicso, Microsoft, Novell and Alt-N (I think there are others) are working on a new spec called DKIM that should work fantastically at stopping fishing. The IETF just this last week accepted the DKIM idea to be turned into a workgroup for standardization. I for one am glad to be able to know that the message is FROM the server it says its from and that the message hasn't been tampered with.

    Randy Peterman - 11th November 2005 19:54 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2004/05/19/domainKeys

A django site