Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Begins Signing Email with DomainKeys

Posted by timothy on from the early-adopter dept.

NW writes "According to a post at IETF's MAIL-SIG list, Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures. This is the first large provider of email that is actually doing so (not even Yahoo has started that yet)."

19 of 416 comments (clear)

  1. Continue the trend by synthparadox · · Score: 5, Insightful

    Google has almost everything now, why don't they make their own Anti-Spam domainkey type service?

    1. Re:Continue the trend by Russ+Nelson · · Score: 5, Insightful

      They want some hope of interoperability with other MTAs.
      -russ

      --
      Don't piss off The Angry Economist
    2. Re:Continue the trend by Hanzie · · Score: 5, Insightful
      ...why don't they make their own Anti-Spam domainkey type service

      In order for this to be the most useful, the solution needs to be usable by everybody. Yahoo has come up with a workable system, and has licensed it to everybody for free use (I await the EFF's opinion on the terms of use, but it looks pretty good to me.)

      Google has seen Yahoo's solution and deemed it 'good'. They'll use it, and traction will thus be gained. According to the article, sendmail is working on an implementation of it, for which I rejoice.

      The biggest hurdle to using this is to actually get others using it. Google has decided to throw their weight behind Yahoo's implementation. Fortunately, they've beaten the proprietary versions. I can't imagine anyone now going with a pay to use version, when this is available.

      You can also build in as much security as you want, since RSA keylength is decidable by the domain, rather than fixed.

      Hooray!

      Hanzie
      --
      ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    3. Re:Continue the trend by user+no.+590291 · · Score: 5, Insightful
      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped. How would emails send from ebay.com that contain no signature be handled? I've only skimmed the IETF draft, but unless all messages without signatures incur a key lookup (to see if it should be signed, then unsigned messages from ebay.com and paypal.com would get through.

      An important hole in the phishing protection is that there will quickly be domains like ebaysecurity.com, paypalinfo.org, or paypalfraudunit.com ad nauseam, the possible iterations over which can't all be preemptively registered, which could have perfectly valid DomainKeys signatures because the phishers would control the domains.

    4. Re:Continue the trend by tomhudson · · Score: 5, Insightful
      There are lots of reasons not to develop their own:
      1. The terms to license DomainKeys are very liberal
      2. Google doesn't suffer from the NIH (Not Invented Here) syndrome, and wants to show itself as being an open company
      3. This will help the tech reach the "critical mass" much sooner
      4. gmail users tend to be "early adopters", so why not offer it to those "early adopters", and signal a trend :-)
      5. Google wants to be seen as working against spammers - can you blame them?
      6. Google has other fish to fry (ie: Microsoft search), so why not adopt tech that can compete successfully with Microsoft's proposed solution, and that is already available to everyone?
    5. Re:Continue the trend by ergo98 · · Score: 5, Insightful

      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped.

      -Your receive a message
      -You check the DNS for the key
      -It has one, but the message isn't signed. Drop the message.

      Receivers that don't check the key of course won't realize they're getting fraudulent mail, but those that do will with absolutely certainty - if Google publishes that they sign their emails, then you can be absolutely certain that unsigned emails are fakes and dump them. If the sending domain doesn't have a key then you obviously can't take advantage of this.

      An important hole in the phishing protection is that there will quickly be domains like...

      Excellent point that is very true. While this is another tool for the clueful, the clueless will happily believe derivatives, and as you mentioned they will be fully "authenticated". paypa1.com anyone?

    6. Re:Continue the trend by femto · · Score: 5, Informative

      It's not really free, as the yahoo license is for a very narrow field of use. If the DomainKeys is implemented as free software, it doesn't seem possible (by my reading) to use the software outside the narrow area defined by yahoo ("the sole purpose of a sender verification solution in connection with e-mail.") Hence the software isn't really free (and neither is DomainKeys).

    7. Re:Continue the trend by magickalhack · · Score: 5, Funny

      That's funny. I trust president@whitehouse.com much more than I trust president@whitehouse.gov.

      --
      This Sig Kills Fascists
    8. Re:Continue the trend by miley · · Score: 5, Informative

      >According to the article, sendmail is working on an implementation of it, for which I rejoice. Its been available for several months http://sendmail.net/dk-milter/

  2. Re:Wait a minute... by Maestro4k · · Score: 5, Insightful
    • Don't get me wrong, I'm not one of them Google bashers (I don't believe the Google Desktop is spywer, for example), but in this case I would like to have an opt-out option!
    Since Gmail's a free service, I believe your opt-out mechanism is to use something else. Given this is largely an anti-spam technique (to prove an E-mail is legitimately from the domain it says it is) I can't see Google being willing to provide an opt-out on this, it would undermine the whole effort.
  3. Hazards of skim reading.... by Owndapan · · Score: 5, Funny

    I saw DomainKeys and read DonKeys. I took me forever to work out how such an animal could be used to sign emails for spam-filtering... I'll be releasing a white paper on it shortly.

  4. Header Example by trawg · · Score: 5, Informative

    For those (like me) that have no idea what this would actually look like, here's the DomainKey header from an email I just sent myself from GMail:

    DomainKey-Signature: a=rsa-sha1; c=nofws;
    s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subjec t:mime-version:content-type:content-transfer-encod ing; b=ONG9HfGg74ZbrOOI8IwjwhGUX+PlGp1+clGIyvWriiltDmXE xdmdDWoblELIrVMw3yex7xRyib6m4Q5pInSfi2mr1IQRZINzf2 qTI/9QtFMkpwJUcWJeBt8VPzdxpNCdItxyNnALLIXjrsBAcYsY 8Gv7C6HJR0E6OFZCM0qWrCo

    1. Re:Header Example by FunkyMarcus · · Score: 5, Informative

      Who do they think they are, not prepending "X-" to their weird headers?

      You're kidding, right?

      The DomainKeys proposal has been submitted as an Internet-Draft. In other words, the DomainKeys-Signature header field is on the best possible track to becoming a recognized field. The only thing that recognition would mean that the DomainKeys-Signature field could not be used for other purposes.

      Even so, RFC 822 does not require private header fields (what it calls "user-defined fields") to begin with X-; it is merely offered as good advice to those who never intend to seek official recognition for their fields.

      Of course, the extension field name registry endorsed by RFC 822 does not exist, and in fact, no extension field name registry for 822-format messages exists. (It seems like IANA should maintain one, but they don't. RFC 2076 is a good start.) The best guidance is to treat de facto usage as the standard, and allow for expansion through the formal RFC procedures, of which publication as an Internet-Draft is an element.

      And remember, it's already an Internet-Draft.

      Mark

  5. Re:domainkeys, SPF by wayne · · Score: 5, Informative
    I'm on the (not yet IETF) MASS mailing list, the DomainKeys mailing list, and I've read the DomainKey's spec a couple of months ago, but I can't say I'm an expert on all things domainkeys.

    SPF verifies that the IP address of the mail server sending you the email is authorized by the domain to do so. This causes problems when email is forwarded, such as via pobox.com. It requires all email to be sent through "authorized" servers, which can cause problems when people are working from home and want to send email, or when you are in a cyber cafe. It also causes problems when email is generated on greeting-card/news-story websites.

    DomainKeys creates a hash of the email body and some of the headers and uses public key technology to sign it. This causes problems when email is sent to a mailing list and the mailing list mangles it or when it is sent through things like MS Exchange servers. There are also problems with being able to replay the message. Like SPF, there are problems people are working from home and want to send email, or when you are in a cyber cafe. Also like SPF, also causes problems when email is generated on greeting-card/news-story websites.

    Using DomainKeys, a spammer can send an email from a throw-away gmail account to another email account, pick up a copy of the spam with the correct domainkeys signatures, and then blast it out to everyone. I can't see any way to prevent this with domainkeys.

    Many mailing lists add stuff at the end, either unsubscribe/archive info, or outright ads. In order to make DomainKey signatures survive being sent through mailing lists, the email body is converted to a "canonical form", which allows this extra text to be ignored.

    The problem is that a spammer can subscribe to a mailing list, watch for emails without much text, then add their own ads (spam) onto the end and send it out.

    I think domainkeys is an interesting idea, but as of right now, I can't see how it is ever going to work or be useful.

    --
    SPF support for most open source mail servers can be found at libspf2.
  6. Domain Keys question by Anonymous Coward · · Score: 5, Interesting

    I have a web domain mainly to receive e-mail.
    When I send mail, I use my domain in the "from."
    However, my domain provider doesn't allow smtp, so my outgoing mail is through my ISP.
    If my ISP supports domain-keys, they will sign my outgoing mail, but it will NOT match my totally-legitimate "from."
    According to the domain-keys summary, this would flag my mail. In medical terms, this is called a false-positive.
    How does domain-keys prevent something like this from being a problem, other than by forcing users to adopt a completely different e-mail stragegy?

    1. Re:Domain Keys question by Russ+Nelson · · Score: 5, Informative

      This is a good question; somebody mod it up (obviously *I* can't).

      If your ISP supports domain-keys, they won't sign your outgoing mail, because they don't have a private key and selector/public-key combination for your from:. If they trust that you are you (e.g. because they used smtp-auth with reasonably secure passwords), then they might insert a Sender: header with your authentication information in it.

      The alternative is for you to sign your outgoing email, or deal with people's reaction to the reception of unsigned email.
      -russ

      --
      Don't piss off The Angry Economist
  7. What about... by ottergoose · · Score: 5, Insightful

    What about all of those zombie machines out there that send spam via Outlook - since that email is going out with a valid account, it would be flagged as legit.

    Tell me where I'm wrong.

  8. Re:how to verify? no txt record for beta.gmail.com by miley · · Score: 5, Informative

    you need a _domainkey in there:
    $ host -t TXT beta._domainkey.gmail.com
    beta._domainkey.gmail.c om text "t=y\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC69TURXN3o Nfz+G/m3g5rt4P6nsKmVgU1D6cw2X6BnxKJNlQKm10f8tMx6P6 bN7juTR1BeD8ubaGqtzm2rWK4LiMJqhoQcwQziGbK1zp/MkdXZ EWMCflLY6oUITrivK7JNOLXtZbdxJG2y/RAHGswKKyVhSP9niR sZF/IBr5p8uQIDAQAB"

  9. Extremely bad advice by KjetilK · · Score: 5, Informative

    Have scripts that autorespond to any "from" that goes to any of the 4 dummy addresses, so as to waste spammers time with false positives.

    Do not ever do this! It is an extremely bad advice.

    From addresses are almost always forged, usually there are just random junk in the From. Quite often there are valid addresses there, and your autoresponders will spam those innocent bystanders. They will be very thankful, you bet!

    Finally, it is not uncommon that spammers forge in anti-spammers who have successfully shut them down before in there. When I was still actively pursuing spammers, I had my addresses forged this way. I have had my share of moronic autoresponders. It is not fun at all. If you do this, you only contribute to the spam, and you bet that if you annoy a real anti-spammer enough, you will find your own connection to be a smoking hole faster than you can imagine.

    In fact, having autoresponders at all is not recommendable at all at this time. If you first accept an e-mail and then generate a bounce message, if the MAIL FROM was forged, that bounce will go to a random bystander, which is bad. If you use autoresponders, or generate bounce messages, you should be careful not to bounce at forged from addresses.

    Allthough it is a bit controversial still, you may configure your system to reject spam and viruses at SMTP time. Then you will not generate a bounce, a relay may, but then, hijacked relays usually don't either (I think it is good reasons for this). So, I am of the opinion that this is good practice.

    Autoresponders are Evil however.

    --
    Employee of Inrupt, Project Release Manager and Community Manager for Solid