Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Begins Signing Email with DomainKeys

Posted by timothy on from the early-adopter dept.

NW writes "According to a post at IETF's MAIL-SIG list, Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures. This is the first large provider of email that is actually doing so (not even Yahoo has started that yet)."

8 of 416 comments (clear)

  1. Continue the trend by synthparadox · · Score: 5, Insightful

    Google has almost everything now, why don't they make their own Anti-Spam domainkey type service?

    1. Re:Continue the trend by Russ+Nelson · · Score: 5, Insightful

      They want some hope of interoperability with other MTAs.
      -russ

      --
      Don't piss off The Angry Economist
    2. Re:Continue the trend by Hanzie · · Score: 5, Insightful
      ...why don't they make their own Anti-Spam domainkey type service

      In order for this to be the most useful, the solution needs to be usable by everybody. Yahoo has come up with a workable system, and has licensed it to everybody for free use (I await the EFF's opinion on the terms of use, but it looks pretty good to me.)

      Google has seen Yahoo's solution and deemed it 'good'. They'll use it, and traction will thus be gained. According to the article, sendmail is working on an implementation of it, for which I rejoice.

      The biggest hurdle to using this is to actually get others using it. Google has decided to throw their weight behind Yahoo's implementation. Fortunately, they've beaten the proprietary versions. I can't imagine anyone now going with a pay to use version, when this is available.

      You can also build in as much security as you want, since RSA keylength is decidable by the domain, rather than fixed.

      Hooray!

      Hanzie
      --
      ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    3. Re:Continue the trend by user+no.+590291 · · Score: 5, Insightful
      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped. How would emails send from ebay.com that contain no signature be handled? I've only skimmed the IETF draft, but unless all messages without signatures incur a key lookup (to see if it should be signed, then unsigned messages from ebay.com and paypal.com would get through.

      An important hole in the phishing protection is that there will quickly be domains like ebaysecurity.com, paypalinfo.org, or paypalfraudunit.com ad nauseam, the possible iterations over which can't all be preemptively registered, which could have perfectly valid DomainKeys signatures because the phishers would control the domains.

    4. Re:Continue the trend by tomhudson · · Score: 5, Insightful
      There are lots of reasons not to develop their own:
      1. The terms to license DomainKeys are very liberal
      2. Google doesn't suffer from the NIH (Not Invented Here) syndrome, and wants to show itself as being an open company
      3. This will help the tech reach the "critical mass" much sooner
      4. gmail users tend to be "early adopters", so why not offer it to those "early adopters", and signal a trend :-)
      5. Google wants to be seen as working against spammers - can you blame them?
      6. Google has other fish to fry (ie: Microsoft search), so why not adopt tech that can compete successfully with Microsoft's proposed solution, and that is already available to everyone?
    5. Re:Continue the trend by ergo98 · · Score: 5, Insightful

      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped.

      -Your receive a message
      -You check the DNS for the key
      -It has one, but the message isn't signed. Drop the message.

      Receivers that don't check the key of course won't realize they're getting fraudulent mail, but those that do will with absolutely certainty - if Google publishes that they sign their emails, then you can be absolutely certain that unsigned emails are fakes and dump them. If the sending domain doesn't have a key then you obviously can't take advantage of this.

      An important hole in the phishing protection is that there will quickly be domains like...

      Excellent point that is very true. While this is another tool for the clueful, the clueless will happily believe derivatives, and as you mentioned they will be fully "authenticated". paypa1.com anyone?

  2. Re:Wait a minute... by Maestro4k · · Score: 5, Insightful
    • Don't get me wrong, I'm not one of them Google bashers (I don't believe the Google Desktop is spywer, for example), but in this case I would like to have an opt-out option!
    Since Gmail's a free service, I believe your opt-out mechanism is to use something else. Given this is largely an anti-spam technique (to prove an E-mail is legitimately from the domain it says it is) I can't see Google being willing to provide an opt-out on this, it would undermine the whole effort.
  3. What about... by ottergoose · · Score: 5, Insightful

    What about all of those zombie machines out there that send spam via Outlook - since that email is going out with a valid account, it would be flagged as legit.

    Tell me where I'm wrong.