Yahoo on Tuesday released an e-mail standard that prevents spammers from hiding behind legitimate e-mail addresses. Yahoo’s proposed standard, known as DomainKeys, would embed outgoing messages with an encrypted digital signature matched to a signature on the server computer that sends the message.
From Yahoo DomainKeys:
Email spoofing is the forging of another person’s or company’s email address to get users to trust and open a message – is one of the biggest challenges facing both the Internet community and anti-spam technologists today. Without sender authentication, verification, and traceability, email providers can never know for certain if a message is legitimate or forged and will therefore have to continually make educated guesses on behalf of their users on what to deliver, what to block, and what to quarantine, in the pursuit of the best possible user experience.
DomainKeys is a technology proposal that can bring black and white back to this decision process by giving email providers a mechanism for verifying both the domain of each email sender and the integrity of the messages sent (i.e,. that they were not altered during transit). And, once the domain can be verified, it can be compared to the domain used by the sender in the From: field of the message to detect forgeries. If it’s a forgery, then it’s spam or fraud, and it can be dropped without impact to the user. If it’s not a forgery, then the domain is known, and a persistent reputation profile can be established for that sending domain that can be tied into anti-spam policy systems, shared between service providers, and even exposed to the user.
Internet providers could check the signatures on incoming messages and block those that do not match up. The procedure would be invisible to regular e-mail users because it would be implemented by e-mail providers, Yahoo described.
