Slashdot Mirror
Gmail Begins Signing Email with DomainKeys
NW writes "According to a post at IETF's MAIL-SIG list, Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures. This is the first large provider of email that is actually doing so (not even Yahoo has started that yet)."
Will it ever catch on? If enough people implement and use it, then yes.
Why not? If Google can grow to be numero uno in free webmail providers, that in itself will be a strong convincing factor.
The thing I like about Google - they do good things which forces other companies to follow them. Take search, for instance. Other companies had such horribly cramped search interfaces and ads, until Google came up with a clean and mean interface.
Now everyone - Yahoo!, Altavista, MSN Search - follow's Google's example.
I'm sure that if Gmail was to pick up momentum, the sheer number of users and need for interoperability would kinda force others to follow suit.
All these other providers had the means and the option, but did not do so. MS has so much funds and Hotmail in itself is responsible for a good chunk of spam - if MS had taken this stance, they could easily force other providers to adopt this technology and help decrease spam in the process.
But no.
_This_ is why I like Google. Way to go, guys.
I don't see how it's any better than SPF?
In fact, it could be worse since now a calculation is required to verify the sender in addition to the DNS query.
Anybody care to enlighten me?
No sig
Alright, I DID RTFA, and basically what this describes is just another way to authenticate that the user is from that domain. Isn't that the same thing SPF does? They both seem to accomplish the same task, but SPF appears to be easier to manage and easier to support. My personal (commercial) mail server already supports SPF, sendmail et al. support it (via external component), and my Barracudas (awesome product!) are beta testing spf support right now.
Oh yeah, and gmail already support SPF. Why promote different standards that are apparently identical in purpose?
If you are out to describe the truth, leave elegance to the tailor - Albert Einstein
I mean, without some third-party software. hmm.. don't know how entourage (or outlook) would work with labels though.
"What seems to be the problem, osciffer?" (pronounced aus-if-fer.. bah forget it)
Correct me if I am wrong, but if I understand this correctly, and if filtering with this becomes widely adopted, then it will also prevent me from sending mails with my gmail-address from my smtp server.
So I would have to use their web-interface, or hope they wil eventually make a smtp-server useable for a fee
Not that this is not their right and all, and I could just stop using it if I don' like it, free service, yada yada..
Still, this gives a little too much control to my email-domain-provider about which smtp-server I can use, than I am comfortable with.
I have a web domain mainly to receive e-mail.
When I send mail, I use my domain in the "from."
However, my domain provider doesn't allow smtp, so my outgoing mail is through my ISP.
If my ISP supports domain-keys, they will sign my outgoing mail, but it will NOT match my totally-legitimate "from."
According to the domain-keys summary, this would flag my mail. In medical terms, this is called a false-positive.
How does domain-keys prevent something like this from being a problem, other than by forcing users to adopt a completely different e-mail stragegy?
I've quoted some of the interesting looking parts below.
See what I've been reading.
You forgot:
7. Yahoo is suggesting a solution that *should* have been the first thing everyone tried. Inventing complex new mail records is just silly.
Javascript + Nintendo DSi = DSiCade
(not even Yahoo has started that yet)
/.) that they had now the absolutely perfect SPAM filtering solution in place, I wrote them why they implemented this for their freebie "mail.yahoo" accounts, but not for folks that are paying them 15 bucks a month.
..... the fuckers..... So, I replied to them that I didn't think it fair that freebie customers got a better SLA than those people paying 150 bucks a year.
Doesn't surprise me. My domain was once hosted with a pretty satisfactory ISP called SimpleNet (what a name, but their service was good!!). They were absorbed by Yahoo and continued under the brandname Yahoo WebServices. So far, so good...
Over the years, I got more and more spam, so when Yahoo one time announced (I'm sure I read it on
Oh dear, had I underestimated Yahoo logic!! The reply was that I could upgrade my account to a business account (for 30+ bucks a month) to obtain the SERVICE (!!!) of spam filtering
No answer of course and I moved my domain to another ISP at the end of the year.....
Browsers shouldn't have a back button!! It's all about going forward...
Once you can trace email back to the source, you can -- in theory -- start cracking down on the problem. As it stands at the moment, you can't do this tracing reliably (Windows bots and suchlike), and that means that people can get away with this stuff with impunity.
Of course, this does nothing to solve the problem of the criminals in Russia (or other country without appropriate law enforcement) ...
No, this will really work. It enables differential filtering based on the managed reputation of the sending service. (faughnan.com/spam.html).
I advocated this many years ago, but it doesn't need advocacy -- it will simply happen.
Unsigned email gets filtered very aggressively. Some will get lost of course -- aggressive filters err to false positives. People who want their mail to be read will move to authenticated sending services.
Signed email from domains with bad reputations will be deleted in the pre-filter. Reputation services will manage domain reputations.
Email from an authenticated sending service with a good reputation gets lightweight filtering. If the domain doesn't manage their members the domain reputation suffers -- and filtering gets more aggressive. Domain members head for the exits.
BTW, the same policy of managed reputation of sending services has a 'real world' equivalent. In the future world of high security, privacy may yet exist within communities that manage their reputations.
John Faughnan
jfaughnan@spamcop.net
has anybody succeeded in verifying one of the domainkey headers from a gmail message?
- delany-d omainkeys-base-01.txt
... s=beta; d=gmail.com; ...
after reading the ietf draft:
http://www.ietf.org/internet-drafts/draft
if this is in the message header:
DomainKey-Signature:
i think you should be able to retrieve the public key necessary to verify it by querying dns for a txt record for
beta.gmail.com
but i don't get anything back in the answer section when i run
dig TXT beta.gmail.com
anyone have better luck verifying one of these messages? or is the gmail domainkeys implementation incomplete at present?
about sean dreilinger
That's all well and good, but, assuming this thing takes off, did you see this bit in the FAQ's?
"However, it is possible that Certificate Authorities may become a valuable addition to the DomainKeys solution to add an even greater level of security and trust."
So, to extend the "SUSPECT" folder, are we eventually going to find ourselves in the position where we all have to pay a CA simply to avoid having mail from private domains being bounced by big/wealthy/corporate providers.
This would suck, I have about 20 domains that I serve mail for, a couple of commercial ones, but mainly domains for friends, myself etc. At 50 odd dollars a throw, that'd be $1000 dollars a year.
Don't get me wrong, public verification would be nice in certain circumstances, but I can't see how this would happen without incurring considerable cost, after all, what you are paying for (in theory) is for someone else to verify you are who you say you are - this is a service that quite rightly is chargeable.
To go one step further, it would also (once more, in theory - in my experience the checking done for CA signed certs is non-existent/trivial to circumvent) reduce the anonymity and privacy on the net that we all value so highly - at least as far as email is concerned.
I believe I had a legit point, anyone who is actually qualified want to take a stab at it?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Yahoo ! owns over 10 percent of Google's outstanding shares. Notice how even that link begins with google.com and send you to Yahoo's stock portal?
Leaving aside the question of how the DNS records get updated, is it possible to implement Yahoo's domain signatures (both signing and verification) in a mail client (Evolution, Thunderbird), or does it have to be in the server? It looks to me like that should be possible, but it's not completely clear from the spec.
If it is, then one way of getting these more widely used might be to integrate support for them into mail clients. That way, people with personal domains can sign their outgoing messages, and they can write filter rules (e.g., in Mozilla/Firefox) to deal with unsigned messages, correctly signed messages, and incorrectly signed messages as they like.
On my news submission form, there's a field for people to enter their email address. When I receive the completed form (it's forwarded to my Gmail account) and the sender has used a Gmail address, a yellow warning bar appears cautioning about trusting the email.
PocketGamer.org - For the gamer on the go!
the sole purpose of a sender verification solution in connection with e-mail
But what other area could the patent possibly apply to? To the degree that the patent has any content at all, it is the application of a simple signature scheme to sender verification. If it applied to other fields of use, then it would amount to Yahoo! getting a patent on digital signatures in general, which just doesn't make sense.
If the ISP requires authentication, then the person with the infected machine will be easy to find after a spam complaint and shut down for a few days till they clean up their machine.
I just grabbed the statistics for one A/V vendor's top virus alert today (http://www.trendmicro.com/vinfo/virusencyclo/defa ult5.asp?VName=PE_FUNLOVE.4099&VSect=S)
Roughly 10 million infected.
Imagine that having trojan capabilities. If it took one minute to shut off a trojaned, infected computer, that would result in roughly 100 days of spamming (if my back-of-the-napkin calculations are correct).
But that is a rather crude way of doing it. If I was evil enough to do it, I'd write up a little virus that would send itself out with the address book over time, to escape detection, then spam the address book, then die.
"If the patent has limited applicability, why would yahoo bother to put a redundant clause into the license?"
Because (having gotten licenses like this through corporate legal departments myself) it would have been more work to leave the clause out. The lawyers probably asked the developers and business people: "what specifically is it you want to license" and wrote just that into the license. Determining whether the patent has any uses beyond E-mail sender verification wasn't what they got paid for and there would have been no benefit to them to leave out the clause.
In any case, this isn't up to Yahoo to determine. I'm saying that the patent seems difficult to enforce to me even when it comes to sender verification (but it is good to have it under these terms for defensive purposes), but that the patent really seems to lose all meaning when applied to other areas.
starting to??? Not quite. I wouldn't worry about it - Email is a complex system and complex things need complex information to work... it should be okay as long as the user agent knows how to hide the irrelevant information by default.
Could be worse. Could be a message as a .doc attachment. Or a .ppt. With clip-art.
I think your scalability point is going to prove important. I think it would be computationally rather expensive for the moment. My pubring has around 900 keys and the database is 12 MB. But then, it could become feasible in the future, as processing capacity does increase fast.
However, the real thing here is that PGP does not help you verify identity directly. It helps you verify that a message was sent by "Foo Bar ", and that it has not been altered while in transmission. Still, there is additional effort involved in knowing who "Foo Bar " is. Sure, you may know someone called "Foo Bar", but you don't know that it isn't some spammer who generated this keypair with your friend Foo Bar's credentials to get through your filters. Unless you have signed this key.
I don't think you will ever be able to sign all the keys of everyone who might legitimately send you e-mail, but you can build a web-of-trust based on PGP's concept of ownertrust, and I have put some effort into it myself, so I now trust roughly 1500 keys.
Doing this is a largish undertaking, however, and I think that is the main reason why I really can't envision PGP being useful for combatting spam in near future.
Employee of Inrupt, Project Release Manager and Community Manager for Solid