Yahoo Submits DomainKeys Draft To IETF

← Back to Stories (view on slashdot.org)

Yahoo Submits DomainKeys Draft To IETF

Posted by timothy on Wednesday May 19, 2004 @02:04AM from the you-may-be-surprised-to-receive-this-draft dept.

NetWizard writes "According to a mailing list post at the IETF, Yahoo's website and a Wired News story, Yahoo has made the DomainKeys draft public and submitted to the IETF." Russ Nelson explains "Basically, your MTA uses RSA-SHA1 to sign the headers and body of your email and inserts that signature before sending the email. The recipient MTA looks up $selector._domainkey.$domain in the DNS, gets your public key, verifies it, and inserts a notice. There's also a SourceForge project for a DomainKeys library." An anonymous reader asks "It seems to me that it doesn't offer anything more than the Sender Policy Framework by pobox.com, other than doing relay-based signing of the messages to provide the sender verification. SPF has already grown to over 14,000 domains so far and only requires an addition to your DNS to support (from the sending side). Verifying messages on the receiving MTA is as simple as doing a DNS lookup, most MTAs can support SPF now, the code is available and well tested. What advantages to people see in Domainkeys over SPF that are actually useful, and what standard should people implement?"

25 of 350 comments (clear)

Min score:

Reason:

Sort:

To understand... by Mz6 · 2004-05-19 02:08 · Score: 5, Interesting

OK... It seems that SPF would have a little easier setup, only requires setup on one side. While DomainKeys would have more of an upfront cost to get it working and setup costs on both sides. However, pobox.com has theirs software up an working while Yahoo only has a working document to offer proof of concept. I would like to see Yahoo's example up and running and see how it would compare once out in the wild.

--
Hmmm.
1. Re:To understand... by tanguyr · 2004-05-19 02:24 · Score: 5, Informative
  
  Not only that, but SPF also seems more flexible. Domainkeys seems limited to making sure that the from header was not forged and that the SMTP machine used is on that domain's approved sender's list. Don't forget that SPF allows you to say "any machine may send mail from my domain as long as the mail is digitally signed" - or "any machine with an MX record in my domain may send mail for that domain" (which you could update withoput having to regenerate keys, etc)
  
  In short - SPF looks like the more elegant solution.
  
  --
  #!/usr/bin/english
2. Re:To understand... by Russ+Nelson · 2004-05-19 02:57 · Score: 4, Informative
  
  DomainKeys signs the entire message, not just the From: header. DomainKeys lets anybody send regardless of IP address as long as they have a private key whose public key is published under that domain. A domain may have multiple keys, and generating a new key takes but a second.
  
  The trouble with SPF is that it's based on IP addresses, and forwarding completely breaks SPF. That's why they need SRS in order to be able to forward at all.
  
  --
  Don't piss off The Angry Economist
3. Re:To understand... by johnnyb · 2004-05-19 03:19 · Score: 4, Funny
  
  But the problem is that if you're a salesman, you are never at the same place twice.
  
  --
  Engineering and the Ultimate
One advantage DomainKeys has over SPF... by Anonymous Coward · 2004-05-19 02:10 · Score: 5, Interesting

SPF breaks forwarding. Domainkeys doesn't. That alone is a serious enough problem that I can't implement SPF.
1. Re:One advantage DomainKeys has over SPF... by Otto · 2004-05-19 06:29 · Score: 4, Insightful
  
  The job of a mailserver admin is NOT to decide who's allowed to send mail to the users and who's not. If a user asks (e.g. block all but this whitelist), sure. But absent a request from the user, you have no rights to decide which email goes through and which is blocked (with obvious exceptions for things like viruses).
  
  You are a mailserver admin -- that's a SUPPORT position. You don't decide what your users are allowed to see and you have no rights to demand to know the real name of people who are not even your users, but are just sending email to them.
  
  I'm sorry, but you are incorrect. The mailserver admin is acting on behalf or (or may be in fact) the owners of the hardware that the mail in question is travelling through. That gives them every right to decide, by any standards they like, what mail they accept or don't accept.
  
  This is a simple question of property rights. My property, my rights.
  
  As far as what the users want, sheesh, it's like you just don't trust market forces anymore.. If the admin blocks too much, the users get pissed and find a new ISP. It's a self-correcting problem.
  
  It is the mailserver admin's job to ensure the correct operation of the mailing system, and the owners of the system get to decide what "correct" means. Deal with it.
  
  --
  - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Perhaps I'm missing something by Anonymous Coward · 2004-05-19 02:12 · Score: 5, Insightful

But doesn't this miss the point of spam?

Based on articles refered here on Slashdot, I'd assumed a major source of spam were machines that have been compromised. Spammers use known lists of unwitting relays to forward spam through legitimate hosts.

Email today will tell me the name of the host where something came from, that doesn't really help. At best, I could (a) contact the owner of the domain (which I can do today) (b) develop a list of open relays that I won't accept mail from (which I can do today).

It seems to me the net effect of this is to limit email to large ISPs. It won't be good enough for me to buy a T1 and run my mail server from there, I'll have to rely on Yahoo, MSN, AOL, Comcast and a few others to be my MTA because people won't accept mail from a small provider (or a single point system) any more.
1. Re:Perhaps I'm missing something by eric76 · 2004-05-19 02:25 · Score: 5, Insightful
  
  There is no need to limit e-mail to the big ISPs. Are you suggesting that all the corporations and smaller ISPs purchase e-mail services from the bigger companies? What would that accomplish?
  
  The major source of spam are machines that are compromised is true. The vast majority of such machines are not mail servers at all. Shunning all the small providers and companies might help reduce spam somewhat, but at an enormous expense.
  
  If you accept e-mail only from legitimate e-mail servers, regardless of the size of the ISP or company, you would accomplish pretty much the same thing.
  
  By the way, if the big ISPs have the market cornered on e-mail services, what makes you think they would be anti-spam? The larger reason that they are anti-spam is because of being blocked by the vast numbers of smaller ISPs and companies who pioneered the use of blacklists. Take away that and the big ISPs would love spam because they would be able to collect more money from their captive audience based on the volume of mail handled for that company or smaller ISP.
2. Re:Perhaps I'm missing something by CustomDesigned · 2004-05-19 02:35 · Score: 5, Insightful
  
  Neither SPF nor Domain Keys directly addresses spam. They both prevent forgeries, aka "joe jobs". SPF stops envelope forgery. DK stops mail header forgery. The vast majority of AOL spam is not sent via AOL. That is why AOL is an early adopter of SPF. I have gotten death threats from people who are sick of getting spam I supposedly sent them. If SPF were widely implemented in MTA's, they would never get such forged mail. When SPF becomes widely implemented, spammers can publish SPF records also - in fact many already are. But now you can use the domain registration to track the source of the spam. This facilitates prosecution of scams, and blacklisting of unwanted spamming vendors.
SPF breaks Forwarding by Anonymous Coward · 2004-05-19 02:13 · Score: 5, Informative

I'm the SysAdmin of an ISP. We had to turn off SPF after some users couldn't send e-mail to people that used mail forwarders. For instance, if someone has a domain 'foo.com' that sends all mail sent to it to 'foo@verizon.net', and foo.com resides outside of verizon.net, my users wouldn't be able to send him mail if Verizon uses SPF.

SPF is junk. The number one priority of e-mail: Legit mail must reach the recipient.
1. Re:SPF breaks Forwarding by Mz6 · 2004-05-19 02:22 · Score: 5, Informative
  
  Info from the SPF site on forwarding...
  "Forwarding services and web-generated email sites need to deploy SRS. Pobox.com, for instance, has already integrated SRS into its bespoke MTA using Mail::SRS.
  Hobbyists who provide .forward or /etc/aliases services will also have to get an SRS-enabled MTA.
  Sites that do not do .forward or /etc/aliases forwarding to remote sites will not need to do a thing.
  Once a majority of forwarding setups are SRS-compliant, SPF publishers can change their defaults from "neutral" or "softfail" to "fail". "
  Seems like for fowarding to work.. one method has to become a standard.. And we need to do it right this time. The above text says that everyone would have to install their software to get forwarding to work.
  
  --
  Hmmm.
Re:Patent Licensing by Anonymous Coward · 2004-05-19 02:13 · Score: 5, Informative

It's probably better:

Yahoo! will grant a royalty-free, worldwide, non-exclusive license under any Yahoo! patent claims that are essential to implement or use any Implementations so that licensees can make, use, sell, offer for sale, import, or yodel Implementations; provided that the licensee agrees not to assert against Yahoo!, or any other Yahoo! licensees of Implementations, any patent claims of licensee that are essential to implement or use any Implementations.

Microsoft's implementation requires you to sign away your right to sue them for any patent claim and doesn't allow you to sublicense the technology (ie: GPL/LGPL/BSD-incompatible). This one is less agressive.
SPF breaks relaying by Mr.+Slippery · 2004-05-19 02:15 · Score: 5, Informative

other than doing relay-based signing of the messages to provide the sender verification.

SPF's handling of relays is broken:

But that breaks forwarding!
Yes, it does. You'll have to switch from forwarding, where the envelope sender is preserved, to remailing, where the envelope sender is changed. But don't worry, we're working on providing SRS patches for the four major opensource MTAs, so that when you upgrade to an SPF-aware version, this problem will be solved also.

If DomainKeys takes care of that, I'd choose it over SPF in a heartbeat.

--
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Re:PGP? by grub · 2004-05-19 02:15 · Score: 4, Insightful

"OK, Grandma, now type in your PGP passphrase. Ensure it's very long and made up of alphanumerics, symbols and control characters. Make sure you don't forget it..."

--
Trolling is a art,
Re:Expensive... by Anonymous Coward · 2004-05-19 02:17 · Score: 4, Interesting

Even better, because then spam won't be possible if it's computationally intensive.
That's "boycott-email-caller-id.org" by Anonymous Coward · 2004-05-19 02:22 · Score: 4, Informative

The post above has the wrong URL. The site that describes the patent issues with caller id for email is actually boycott-email-caller-id.org.

It has a brief mention of domainkeys as well.
SPF and DK solve different problems by CustomDesigned · 2004-05-19 02:25 · Score: 5, Informative

SPF validates the envelope from, and can be checked before the DATA phase of SMTP. Domain Keys validates the rfc822 headers, and can't be checked until after SMTP DATA.
You want to implement both. SPF detects envelope forgeries before you have wasted much bandwidth. You can then use right hand side blacklists on sender domains. Yes, spammers too are adopting SPF. This is OK - those who like spam have something other than instinct to warn them when they are dealing with a scammer instead of a spammer. Those who hate spam can ignore it more efficiently.
Domain Keys validates the message headers. It protects you against forgeries by users in the same domain - e.g. a spammer on yahoo forging an innocent party on yahoo. SPF can also detect envelope sender forgeries from the same domain in conjuction with SES (Signed Envelope Sender) - which adds a crypto cookie to the local part.
You should implement SPF first. It is simpler, and eliminates most forgeries before SMTP DATA. SPF requires sepcial consideration for forwarders (SRS - Sender Rewriting Scheme) or whitelisting.
DK is a good addon for large ISP domains like yahoo and aol, but is broken by forwarders or mail processing tools that modify the body. For instance, my DSPAM bayesian filter adds "tags" to messages.
1. Re:SPF and DK solve different problems by AnotherBlackHat · 2004-05-19 03:39 · Score: 4, Informative
  
  Correct me if I'm missunderstanding SMTP (or just making things up), but once a message enters the DATA phase, isn't an MTA supposed to accept it?
  
  Consider yourself corrected.
  
  RFC 2821 in section 4.2.5 Reply Codes After DATA and the Subsequent <CRLF>.<CRLF>
  makes it clear that if an error code is returned after the final '.' then the receiver is specifically not supposed to handle the message, and any bounces are therefore the responibility of the sender.
  
  -- this is not a .sig
Why domainkeys is better than SPF by duncanthrax · 2004-05-19 02:26 · Score: 5, Informative

1. Domainkeys does not break forwarding.
2. Domainkeys can be used either on the MUA or the MTA, for both sender and recipient sides. This makes it possible to still use 3rd party relays.
3. Domainkeys spoof-protects the domain in the "From:" header field, which is what Joe Sixpack sees in his MUA application.

Domainkeys does have the problem that you can't add headers to messages without re-signing them. If you re-sign them you must also rewrite the "From:" header. This will affect mailinglists.

Domainkeys will not ultimatively solve the spam problem, but it is better than the broken SPF.
SPF and DomainKeys complement each other by That's+Unpossible! · 2004-05-19 02:32 · Score: 4, Insightful

SPF tries to assure the sender of the message (MAIL FROM, return-path, whatever you want to call it) is legitimate. DomainKeys can be used to assure the author of the message (From: header) is legitimate.

I quote this from the very top of the SPF FAQ itself:

"Protecting authorship information is an important goal. However, the technical issues associated with protecting the "From:" header are much more numerous and challenging. The best way to protect the header "From:" is by using a cryptographic signature such as S/MIME, PGP, or (when it is released) Yahoo DomainKeys."

--
Ironically, the word ironically is often used incorrectly.
Re:Possible method to defeat. by -brazil- · 2004-05-19 02:59 · Score: 4, Informative

Could someone perhaps keep bouncing messages off the MTA and using the signed messages from that to try to decrypt the cipher and such?

A really good cipher is resistant even against such a "chosen plaintext attack"; furthermore, it's trivial to defeat such attacks completely by inserting a meaningless random element.

If a system is compromised (i/e: with a virus/worm) couldn't the technology be defeated via that as well?

Not nearly as easily as now, since it requires cooperation from the DNS server.

--
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
SPF does not break forwarding by CustomDesigned · 2004-05-19 03:22 · Score: 4, Informative
I am dismayed at how often this misunderstanding has been repeated here.
- If the receiver does not check SPF, then no mail is rejected and forwarding is not broken.
- If the receiver does check SPF, but doesn't use any forwarders, then forwarding is not broken.
- If the receiver does check SPF, but uses only forwarders that implement SRS, then forwarding is not broken.
- If the receiver does check SPF and uses a non-SRS forwarder, but uses a whitelist to avoid rejecting mail from that forwarder, then forwarding is not broken.
- If the receiver check SPF and uses a non-SRS forwarder, but configures their MTA to reject mail from that forwarder, then their incompetence will result in rejected mail. How is this the fault of SPF?
As long as... by .@. · 2004-05-19 03:26 · Score: 5, Insightful

As long as SPF breaks forwarding (and as long as SPF supporters behave as though this is no big deal), it'll fail.

SRS is nothing but re-hashed bang-pathing, and the SRS folks don't address any of the problems inherent in bang-pathing.

Show me a Unix system that doesn't use /etc/aliases! (postmaster and abuse accounts, anyone?)

--
.@.
Anyone using SPF with Sendmail? by Just+Some+Guy · 2004-05-19 03:27 · Score: 4, Interesting

I admin several FreeBSD mailservers. I've added SPF records to the DNS for all of my domains, but I'd like to start using it to tag incoming email. Unfortunately, I'm not having much luck finding Sendmail milters (or other plugins) that 1) aren't written in Perl and seem to require half of CPAN, or 2) don't require much patching of Sendmail itself.
Are there any lightweight milters that would work under FreeBSD that I could use to start using SPF on production systems? While I certainly won't be filtering out unknown mail at this time, I'd like to start inserting result headers to see how accurate it is in the real world.

--
Dewey, what part of this looks like authorities should be involved?
SPF isn't based on IP addresses. by jefp · 2004-05-19 05:40 · Score: 4, Insightful

Why do people keep saying SPF is based on IP addresses? Here's my SPF string: "v=spf1 a mx a:safe.acme.com a:widget.acme.com a:pill.acme.com -all" Do you see any IP addresses in there? I don't. SPF is based on domain names.

And another thing. People keep complaining that SPF and other similar schemes won't stop spam cause spammers use hijacked machines. Duh! What these schemes will stop is worms, not spam. That also explains why Microsoft is interested - rather than fixing their god damned software so it's secure, they want to fix everyone's email so that broken Microsoft software isn't quite so annoying. Well, whatever.