The company said it has completed two-way DomainKeys support in its US-based Yahoo Mail service, and is in the process of rolling out support across its international domains.
In the US we are signing messages with DomainKeys and are checking messages with DomainKeys signatures, said Yahoo spokesperson Terrell Karlsten. On the international side we are checking, and are deploying signing.
DomainKeys, created by Yahoo and currently under consideration for standardization in the Internet Engineering Task Force, is designed to protect email users from email-borne threats that spoof the address of the sender such as worms and phishing attacks.
Senders create a cryptographic key pair and publish the public key in their domain name system record. They then sign outgoing mail with their private key, so recipients can authenticate the sending address is legitimate with a simple lookup.
For the system to be completely foolproof it of course requires all the companies likely to be phished, banks and e-commerce sites mainly, to adopt the specification. Currently, there are only a handful of adopters.
As other trustworthy brands out there start using DomainKeys we can start protecting our users from phishing attacks, Karlsten said. Right now, we only protect our users from Yahoo[-spoofed] phishing attacks.
EarthLink said that it is testing the technology. The ISP is also a supporter of Sender ID, a related proposal from Microsoft Corp and Pobox.com, also currently struggling through the IETF standards track.
As a side effect of protecting against domain spoofing, DomainKeys and Sender ID are expected to ultimately play a role in curbing the spam pandemic. If senders can be identified, they can be filtered based on reputation.
Like Sender ID, DomainKeys is protected by pending patents, and Yahoo, like Microsoft, is enforcing a royalty-free license on developers who wish to implement the spec. In Microsoft’s case, the license was a cause for concern among open-source developers.
Such licensing is arguably a symptom of lawyer-oriented corporate cultures, and both Microsoft and Yahoo insist the licenses are there purely to protect themselves and implementers against patent infringement suits by other implementers.
The Yahoo license says that those who implement DomainKeys support in their hardware or software must not sue anyone else for implementing the spec and that similar terms must be included in contracts for any third party who uses that software.
