Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Begins Signing Email with DomainKeys

Posted by timothy on from the early-adopter dept.

NW writes "According to a post at IETF's MAIL-SIG list, Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures. This is the first large provider of email that is actually doing so (not even Yahoo has started that yet)."

33 of 416 comments (clear)

  1. Continue the trend by synthparadox · · Score: 5, Insightful

    Google has almost everything now, why don't they make their own Anti-Spam domainkey type service?

    1. Re:Continue the trend by Russ+Nelson · · Score: 5, Insightful

      They want some hope of interoperability with other MTAs.
      -russ

      --
      Don't piss off The Angry Economist
    2. Re:Continue the trend by Lehk228 · · Score: 2, Insightful

      the whole point of such a service is that the more people using it the better and more useful it is.

      --
      Snowden and Manning are heroes.
    3. Re:Continue the trend by Hanzie · · Score: 5, Insightful
      ...why don't they make their own Anti-Spam domainkey type service

      In order for this to be the most useful, the solution needs to be usable by everybody. Yahoo has come up with a workable system, and has licensed it to everybody for free use (I await the EFF's opinion on the terms of use, but it looks pretty good to me.)

      Google has seen Yahoo's solution and deemed it 'good'. They'll use it, and traction will thus be gained. According to the article, sendmail is working on an implementation of it, for which I rejoice.

      The biggest hurdle to using this is to actually get others using it. Google has decided to throw their weight behind Yahoo's implementation. Fortunately, they've beaten the proprietary versions. I can't imagine anyone now going with a pay to use version, when this is available.

      You can also build in as much security as you want, since RSA keylength is decidable by the domain, rather than fixed.

      Hooray!

      Hanzie
      --
      ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    4. Re:Continue the trend by Russ+Nelson · · Score: 4, Insightful

      Not true. Ebay could sign ALL email coming from Paypal and Ebay. If you got unsigned email .... it's definitely a phish. It's easy to verify the signature.
      -russ

      --
      Don't piss off The Angry Economist
    5. Re:Continue the trend by user+no.+590291 · · Score: 5, Insightful
      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped. How would emails send from ebay.com that contain no signature be handled? I've only skimmed the IETF draft, but unless all messages without signatures incur a key lookup (to see if it should be signed, then unsigned messages from ebay.com and paypal.com would get through.

      An important hole in the phishing protection is that there will quickly be domains like ebaysecurity.com, paypalinfo.org, or paypalfraudunit.com ad nauseam, the possible iterations over which can't all be preemptively registered, which could have perfectly valid DomainKeys signatures because the phishers would control the domains.

    6. Re:Continue the trend by tomhudson · · Score: 5, Insightful
      There are lots of reasons not to develop their own:
      1. The terms to license DomainKeys are very liberal
      2. Google doesn't suffer from the NIH (Not Invented Here) syndrome, and wants to show itself as being an open company
      3. This will help the tech reach the "critical mass" much sooner
      4. gmail users tend to be "early adopters", so why not offer it to those "early adopters", and signal a trend :-)
      5. Google wants to be seen as working against spammers - can you blame them?
      6. Google has other fish to fry (ie: Microsoft search), so why not adopt tech that can compete successfully with Microsoft's proposed solution, and that is already available to everyone?
    7. Re:Continue the trend by ergo98 · · Score: 5, Insightful

      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped.

      -Your receive a message
      -You check the DNS for the key
      -It has one, but the message isn't signed. Drop the message.

      Receivers that don't check the key of course won't realize they're getting fraudulent mail, but those that do will with absolutely certainty - if Google publishes that they sign their emails, then you can be absolutely certain that unsigned emails are fakes and dump them. If the sending domain doesn't have a key then you obviously can't take advantage of this.

      An important hole in the phishing protection is that there will quickly be domains like...

      Excellent point that is very true. While this is another tool for the clueful, the clueless will happily believe derivatives, and as you mentioned they will be fully "authenticated". paypa1.com anyone?

    8. Re:Continue the trend by aussie_a · · Score: 2, Insightful

      Actually that would be an easy fix. I create a filter on my end which would go "IF domain not in address book put into folder SUSPECT" I then check, oh it looks like someone from paypal e-mailed me, why did this get put in here, I better look closer, oh it's paypa1.com not paypal.

      DomainKeys makes filters useful by allowing me to be certain the person e-mailing is really from the domain they claim to be (i.e. they pretend to be e-mailing from paypal.com but are really e-mailing from omfg.com).

    9. Re:Continue the trend by blowdart · · Score: 2, Insightful
      Because having to support and setup records for 3

      is already stupid enough without adding a fourth option into the list.

      The whole things smacks of "not invented here" right now, they all do the same thing, they all do it in the same way, and yet everyone says theirs is best.

      What's more interesting is the lack of awareness from developers for this. There are a lot of systems out there right now that will, for example, send invites to join their web site to your nominated friends using your from address. So as someone who has SPF and SenderID entries I see a lot of bounces because of this. It's not just a matter of making all mail servers support it developers also have to actually think and keep up and stop spoofing themselves.

    10. Re:Continue the trend by Lumpy · · Score: 2, Insightful

      all ebay and paypal emails could easily be gpg signed automatically with no extra costs to ebay.com and any slightly competent admin can set it up.

      (We do this at work, at the server everything is gpg signed with a company key that is broadcast to customers or is generated by our billing system)

      --
      Do not look at laser with remaining good eye.
  2. Re:Wait a minute... by Maestro4k · · Score: 5, Insightful
    • Don't get me wrong, I'm not one of them Google bashers (I don't believe the Google Desktop is spywer, for example), but in this case I would like to have an opt-out option!
    Since Gmail's a free service, I believe your opt-out mechanism is to use something else. Given this is largely an anti-spam technique (to prove an E-mail is legitimately from the domain it says it is) I can't see Google being willing to provide an opt-out on this, it would undermine the whole effort.
  3. Spammers on GMail by fembots · · Score: 1, Insightful

    So will this prevent spammers from sending spams via a Gmail account?

    This DomainKeys system relies on both sending and receiving servers to validate an email, will it ever catch on?

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:Spammers on GMail by Russ+Nelson · · Score: 3, Insightful

      Of course that just means spammers will start using different domain names as return addresses.

      Yes, true, that is why DomainKeys is an authentication system. To the extent that it helps stop spam, it will be through forcing spammers to use their own names.
      -russ

      --
      Don't piss off The Angry Economist
    2. Re:Spammers on GMail by SnprBoB86 · · Score: 3, Insightful

      "So will this prevent spammers from sending spams via a Gmail account?
      I doubt that's really the concern, most spammers don't use mainstream ISPs/E-mail providers as it is, they just fake return addresses from domains of known ISPS/E-mail providers"

      I would think the really important thing about this is that Google is respected in the internet industry and that others will certainly follow suit. If enough big players make the effort to ensure email from their domain names is authenticated, email clients could eventually offer the option to only accept emails from proven senders.

      --
      http://brandonbloom.name
    3. Re:Spammers on GMail by bcrowell · · Score: 2, Insightful

      There are how many million domain names registered? As long as not ALL of them implement this, spamers will always have domain names they can use.
      Users can choose not to accept mail that isn't signed with a DomainKeys signature. If a user is only accepting signed mail, then his spam filter can make a decision to accept mail or not accept it, based on the reputation of the sending domain: white lists, black lists, refusal to accept mail from a domain that hasn't yet established a track record.

      --
      Find free books.
    4. Re:Spammers on GMail by metlin · · Score: 2, Insightful

      Read this article. Google also endorsed SPF, I do not know what happened.

      But you're missing my point.

      Even I've come up with a solution to combat spam.

      That is not the point - the point is actual implementation. Google is at liberty to implement what serves their needs best.

      But why does Microsoft not go ahead and implement it in their systems? The system was introduced in June-July, and the last time I checked, guess which of Microsoft's mail services have SPF implemented? Microsft? Hotmail? MSN? Xbox? Nope.

      NONE of the above.

      That is the difference - not suggesting new technologies, but going ahead and implementing them so that people adopt. I mean, they are so good at doing that for other things, why not for something useful?

      That's what I feel bad about.

  4. Re:What!? by mccrew · · Score: 4, Insightful
    No, Mr. Funny Guy, it means that the mail really did originate by the user BUYYYY_CH33P_M3DZ@gmail.com and did not contain a faked From: header. But I suspect you knew that.

    All of these spam identification methods merely provide reliable authentication of the sender's domain. The rest is up to you. You still have the responsibility to maintain spam filters.

    Having reliable identification is a first step. A very important first step.

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  5. Re:I'd like to see personal signatures by Rikus · · Score: 2, Insightful

    If you want to sign your own mail, why not use PGP? Unlike this, it's already in widespread use, independent of the server providing service (unless you use webmail, in which case it would be a bit tougher).

  6. Re:why by Russ+Nelson · · Score: 4, Insightful

    Every email needs to come with some token of authenticity, be it a source IP address ala SPF, or cryptographic signature ala DomainKeys, or a low SpamAssassin score, or no listing in any of a number of DNSBLs. The days when you could send anybody an email from anywhere and expect them to receive and read it are long gone.
    -russ

    --
    Don't piss off The Angry Economist
  7. Reminds me of Sealab 2021 by Faustust · · Score: 2, Insightful


    Stimutax!

    Step 1: Make something addictive.
    Step 2: Give it out for free.
    Step 3: Start charging money.
    Step 4: Rake in the money!

    One of the greatest episodes ever.

    "It feels like a Koala crapped a rainbow in my brain"

  8. Re:Header Example by ornil · · Score: 4, Insightful

    And my spam filters would have killed that message dead. Too much non-human-readable text.

    Your spam filter cares about the non-readable text in the header?

  9. What about... by ottergoose · · Score: 5, Insightful

    What about all of those zombie machines out there that send spam via Outlook - since that email is going out with a valid account, it would be flagged as legit.

    Tell me where I'm wrong.

  10. Re:SPF and gmail by miley · · Score: 2, Insightful
    >Why is everyone flipping out about domainkeys

    Well, if Google, Yahoo (who created the spec, and indicated that they would be using it shortly), and AOL (who says they will begin testing in Q1) all use DomainKeys, we probably have a de facto email authentication standard.

  11. Another Grand Unified Spam Solution(TM) by martin-boundary · · Score: 4, Insightful
    This type of spam solution just misses the state of the current end to end mail system. Why Google would want to push such an incomplete, half ready cryptography solution is beyond me.

    The Google engineers aren't stupid, they know that mail messages are routinely modified in transit, both the headers, which can be wrapped, rearranged, removed or added, and the MIME bodies, which can be decoded, reencoded, and even modified.

    As engineers, they also know that cryptographic signatures are designed to detect message tampering.

    Combine these two ideas and you get a system which will flag routine message modifications as forgeries, making the DomainKeys signature completely useless in practice. And yes, I've read the rfc draft, and found it wanting.

    It *would* work if there was a standard set of well defined transformations performed on emails from the sender's MUA to the recipient's MUA. So if one Gmail user sends to another Gmail user, it'll be ok, because the message won't leave Google's servers.

    But Google has no control over other people's systems. When I download mail by POP3 from my ISP, they've added SpamAssassin headers, which will simply destroy the DK cryptographic signature. When I get mail at work, they remove ZIP attachments, which destroys the DK signature. When mail passes through an older gateway, some MIME attachments can be decoded and reencoded, destroying the DK signature.

    I could go on but you see the point. Once I get the mail in my mailreader, the DK header is useless junk, and it might as well have been forged, for all the good it does. In fact, if my trust in Google is so high that I'm willing to accept the DK header even though it fails, just because Google are the only ones using it so far, I guarantee that the spammers will pick up on that real fast.

    DK is a draft, and is far from ready yet. It should be allowed to mature. Google shouldn't be deploying incomplete solutions. Unless... could this the beginning of the PHB era at Google? If so, I'm disappointed.

  12. Google also tried using Bonded Spammer for a while by Animats · · Score: 4, Insightful
    I got an e-mail from Google once that came from a Bonded Spammer (er, Sender) IP address. Unfortunately, it was a misdirected mail bounce, which is a violation of the Bonded Sender TOS. A note to Bonded Sender and Google made them stop that.

    If you sign up with one of these "trusted sender" schemes, be very careful that there's no way mail bounces, virus-generated mail, or mail via open proxies can become "trusted". Your ID will be on the mail, and you'll be blamed. Spammers are going to be targeting those sites, since they provide a bypass around some spam filters.

  13. Header Length? by __aafkqj3628 · · Score: 4, Insightful

    Is it just me, or is the length of email headers these days starting to eclipse the length of the body?

  14. Re:Patents and hypocrisy by gsasha · · Score: 4, Insightful

    The miniscule and unimportant fact that they Yahoo have thrown in an open license for it. And that everybody (including FOSS) can implement it at will.

  15. Re:What!? by porttikivi · · Score: 2, Insightful

    But the point is, that if it spoofed and not originating from Google as it claims, then it falls to your non-auhenticated suspects bin. Mail can not be both spooded _and_ authenticated.

    --
    Anssi Porttikivi / app@iki.fi
  16. Re:Domain Keys question by quintessent · · Score: 1, Insightful

    Hmmmm. Sounds like a good place for the Reply-to field. Because even if you legitimately own an address, if the message didn't go through that server, then it's not 100% accurate to say it's from there.

    --
    Donate background CPU time to fight cancer.
  17. Re:This will work - differential filtering by thesp · · Score: 4, Insightful

    The problem here is that most people won't change their email provider simply for the hassle of keeping contacts up to date. People who hate hotmail's service, yet know that it would be near-impossible to ensure that everyone who may need to email them has any updated email address details. (the problem is not the same as number portability between phone networks due to the difference in routability and the 'brand recognition' part of email. For this to work, therefore, we need to divorce an email recieving account from a sending account - and very few services exist to be able to hire a secured smtp account exclusively for the purpose of sending from a 'trusted' domain.

  18. Why put public keys (only) in DNS system? by geg81 · · Score: 2, Insightful

    Putting the public keys only into the DNS system seems to make adoption of such a system quite a bit more difficult than it needs to be. Why not also allow people to put the public keys on web pages? The goal is to have senders prove their identity, and the level of proof required by recipients as well as the nature might differ depending on the application. Many people may be quite happy knowing a web site under the control of the sender of a piece of mail.

    So, say, you get mail from "someone@mydomain.com". The signature specifies that the public key is on "http://www2.mydomain.com/mail_signature.html" and uses that to verify the signature on the mail message. The recipient gets to decide whether the URL "http://www2.mydomain.com/mail_signature.html" is close enough to "someone@mydomain.com" to accept the public key from there (a reasonable default would be to accept it when the mail host is a suffix of the URL host).

    This wouldn't exclude putting public keys in the DNS system, and those keys might be "more trusted" by users, but it would make it much easier for regular users to deploy and use such a system, regardless of whether their ISP is keeping up with the times. In particular, I would imagine users writing mail rules to treat different cases differently (signed with DNS key, signed with matching web site, signed with non-matching web site, incorrect signature, unsigned).

  19. Re:I want my TXT record back! by grinder · · Score: 3, Insightful

    _domainkey?

    Is that underscore really meant to be there? Because _ is not supposed to be an allowable character for names in the DNS.

    I hope that this is not Yet Another Impoverishment of internet standards...