DomainKeys Set to Send Mail

The Yahoo-backed DomainKeys e-mail authentication initiative this week got a boost from Sendmail,
one of the most widely used Mail Transfer Agent (MTA) technologies.

According to the results of a benchmarking performance study
conducted by Sendmail Inc., the use of the DomainKeys only marginally impacted e-mail server performance and offers
a “tenfold performance increase over typical milter-based spam filters.”

“If e-mail authentication technology is to be widely adopted, it must have minimal impact on productivity and system
performance,” said Sendmail CTO Eric Allman in a statement. “These are impressive results for early code.
They suggest that DomainKeys will be more efficient than current methods of filtering and evaluating all messages.”

DomainKeys is a cryptographic-based e-mail authentication technology that inserts a digital signature into
every message to guarantee it was not changed in transit and to verify the
original sender of the message. Yahoo is openly developing the DomainKeys library for e-mail
servers and clients on a SourceForge-listed
project. Sendmail has
developed an open source implementation of the DomainKeys mail filter, which plugs into both its open source
and commercial Sendmail MTAs.

Though it’s a step in the right direction, Ken Dunham, director of Malicious Code at
iDefense, doesn’t see DomainKeys as a “magic bullet” for computer security.

“DomainKeys are a valid way to help authentic e-mails,” Dunham told “However, an MTA,
such as Microsoft Exchange, may modify the message body rendering the signature invalid. For example,
Microsoft Exchange may convert character sets, making the body different from the DomainKey in the ‘From’
header of the e-mail. Thus, as seen with other solutions on the market today, DomainKeys are not perfect
but do offer some enhanced security.”

In addition to Yahoo’s DomainKeys initiative, Microsoft’s e-mail authentication scheme, SenderID,
has also garnered a lot of media attention, although
neither of these initiatives are the first (nor likely the last) to help
protect against forged e-mails.

According to Paul Vixie, co-founder of the Internet Systems Consortium (the group that produces the
Berkeley Internet Name Domain, or BIND),
the IT community didn’t take any of this seriously until Yahoo and Microsoft took an interest
in pushing their own solutions to this problem.

“DomainKeys is one of several competing proposals for e-mail source authentication,” Vixie explained to “Because it has backing from Yahoo, DomainKeys could be widely adopted, even though an
inferior standard has backing from Microsoft and will therefore also be widely adopted. There is room for
more than one 800-pound gorilla in this space.”

Vixie sees DomainKeys and SenderID as competing technologies that domain administrators will have to

“For PR reasons, both Yahoo and Microsoft will continue to bet on their own respective horses, and the
community of e-mail servers and domain holders will have to implement both of them in order to get the
benefits of e-mail authentication,” Vixie said. “This is not a problem. In fact, this kind of ‘ecodiversity’
may be the best thing, considering that all such authentication systems will come under continuous attack by
spammers and data miners of all kinds.”

Microsoft also sees DomainKeys as a technology that can co-exist with SenderID.

“Microsoft regards DomainKeys as a complementary technology to
Sender ID,” a Microsoft spokesperson told “We do see promise in signature-based proposals
(of which DomainKeys is one) and look at this as a longer term solution.”

E-mail authentication schemes will hopefully cut down on e-mail forgery and phishing; however it’s not expected
to cut down the volume of spam.

Vixie explained that Yahoo (and others) wants to ensure that if an address
appears to come from a particular domain, that it actually is coming from that domain and wasn’t forged by a
spammer. He does not believe that it will affect the volume of spam, as spammers will inevitably find
unprotected domains or register “throwaway” domains to operate from.

“Assuming global adoption of one or more successful technologies for
e-mail authentication, the best possible outcome will be protection of domain names
— and therefore protection of brands — against forgery,” Vixie said. “There will be no change in the volume
of spam sent or received.”

“We mustn’t mislead the public in this regard.”

News Around the Web