Weblog for Costin Manolache: Yahoo Domain Keys

May 06, 2004

Yahoo Domain Keys

With more searches - it seems there are other people who have tought about adding digital signatures to messages, and it seems other people found this to not be a very good solution. I was expecting this - I was very surprised at first that I didn't find anything related.

Unfortunately, just like SPF the yahoo domain key solution is based on DNS and would lock out small sites using their own SMTP servers without a DNS entry. For example I have a DSL line and a small linux machine set as a mail server. Domain keys would either force everyone to get a DNS domain and DNS server supporting that entry, or will force people to use "big operator" servers.

However the domain key is a valuable tool if used properly. A receiving filter can use it to verify that at least the message comes from yahoo (or a provider using domain keys ), and filter out all the forged mail with an yahoo address. Almost all of the forged yahoo mail is not sent from an Yahoo server - I assume they do have limits on how many mails an account can send per day. At least on the spam I receive, almost half of what gets past my filters is with forged addresses of people I know ( and a lot is return mail from servers rejecting spam/viruses with my address ).

The problem are the details - there are few important use cases that yahoo may intentionally ignore. If such a solution is adopted by large providers, they can prevent people from using "identities" - I have few addresses, and almost never send mail with the corresponding server. This is a form of "legitimate" address forging IMO. Forwarding/bouncing will also be affected.

IMO the only way a key solution could work is to make it flexible enough - the information that Yahoo or some other domain was indeed the originating server for the mail is very valuable as it locks out a lot of fake mail. Even if a spammer gets 100s of accounts - probably each will be locked or slowed down after sending few hundred mails. It will be quite difficult to send millions of spams by getting 10.000 yahoo accounts.

If it is bluntly used - it can be extremely damaging and destroy some fundamental uses ( small servers are an important part of the internet ), however in combination with other solutions it can be extremely effective. It is stupid to think only one solution will solve all use cases - the receiver must use a combination of techniques.

A domain signature should add points to the mail "trust" score. The lack of a signature from a domain that has a key should reduce the score. If it has a personal signature or if it comes from an SPF-verified address - again, it add to the trust level.

It is vital to use all those "positive" tools in conjunction - each is reducing the entropy and adds bits of knowledge. In the end - none will completely prevent spam, but each will help legitimate mail gets to the destination.

Links about yahoo ( couldn't find any yahoo documentation, only second-hand comments ):
http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=536 http://www.eweek.com/article2/0,1759,1430976,00.asp
http://shumans.com/archives/000036.php
http://jeremy.zawodny.com/blog/archives/001169.html Posted by costin at May 06, 2004 08:37 AM