RealTime IT News

DomainKeys Set to Send Mail

The Yahoo-backed DomainKeys e-mail authentication initiative this week got a boost from Sendmail, one of the most widely used Mail Transfer Agent (MTA) technologies.

According to the results of a benchmarking performance study conducted by Sendmail Inc., the use of the DomainKeys only marginally impacted e-mail server performance and offers a "tenfold performance increase over typical milter-based spam filters."

"If e-mail authentication technology is to be widely adopted, it must have minimal impact on productivity and system performance," said Sendmail CTO Eric Allman in a statement. "These are impressive results for early code. They suggest that DomainKeys will be more efficient than current methods of filtering and evaluating all messages."

DomainKeys is a cryptographic-based e-mail authentication technology that inserts a digital signature into every message to guarantee it was not changed in transit and to verify the original sender of the message. Yahoo is openly developing the DomainKeys library for e-mail servers and clients on a SourceForge-listed project. Sendmail has developed an open source implementation of the DomainKeys mail filter, which plugs into both its open source and commercial Sendmail MTAs.

Though it's a step in the right direction, Ken Dunham, director of Malicious Code at iDefense, doesn't see DomainKeys as a "magic bullet" for computer security.

"DomainKeys are a valid way to help authentic e-mails," Dunham told internetnews.com. "However, an MTA, such as Microsoft Exchange, may modify the message body rendering the signature invalid. For example, Microsoft Exchange may convert character sets, making the body different from the DomainKey in the 'From' header of the e-mail. Thus, as seen with other solutions on the market today, DomainKeys are not perfect but do offer some enhanced security."

In addition to Yahoo's DomainKeys initiative, Microsoft's e-mail authentication scheme, SenderID, has also garnered a lot of media attention, although neither of these initiatives are the first (nor likely the last) to help protect against forged e-mails.

According to Paul Vixie, co-founder of the Internet Systems Consortium (the group that produces the Berkeley Internet Name Domain, or BIND), the IT community didn't take any of this seriously until Yahoo and Microsoft took an interest in pushing their own solutions to this problem.

"DomainKeys is one of several competing proposals for e-mail source authentication," Vixie explained to internetnews.com. "Because it has backing from Yahoo, DomainKeys could be widely adopted, even though an inferior standard has backing from Microsoft and will therefore also be widely adopted. There is room for more than one 800-pound gorilla in this space."

Vixie sees DomainKeys and SenderID as competing technologies that domain administrators will have to implement.

"For PR reasons, both Yahoo and Microsoft will continue to bet on their own respective horses, and the community of e-mail servers and domain holders will have to implement both of them in order to get the benefits of e-mail authentication," Vixie said. "This is not a problem. In fact, this kind of 'ecodiversity' may be the best thing, considering that all such authentication systems will come under continuous attack by spammers and data miners of all kinds."

Microsoft also sees DomainKeys as a technology that can co-exist with SenderID.

"Microsoft regards DomainKeys as a complementary technology to Sender ID," a Microsoft spokesperson told internetnews.com. "We do see promise in signature-based proposals (of which DomainKeys is one) and look at this as a longer term solution."

E-mail authentication schemes will hopefully cut down on e-mail forgery and phishing; however it's not expected to cut down the volume of spam.

Vixie explained that Yahoo (and others) wants to ensure that if an address appears to come from a particular domain, that it actually is coming from that domain and wasn't forged by a spammer. He does not believe that it will affect the volume of spam, as spammers will inevitably find unprotected domains or register "throwaway" domains to operate from.

"Assuming global adoption of one or more successful technologies for e-mail authentication, the best possible outcome will be protection of domain names -- and therefore protection of brands -- against forgery," Vixie said. "There will be no change in the volume of spam sent or received."

"We mustn't mislead the public in this regard."