Now that we understand how digital signatures work, let's take a look at DomainKeys. Like SPF and SenderID, DomainKeys is a mechanism of sender authentication.
DomainKeys uses public key encryption to authenticate messages. It works in the following way (much of this is based upon Yahoo's description):
We can see that DomainKeys is similar to SenderID in term of authentication. If differs from SPF in that it protects the From: address, just like SenderID. To combat spam and phishing/spoofing, there are two ways as I describe above, plus the reputation system:
I have one more comment with regards to the Frequently Asked Questions section of the DomainKeys link on Yahoo's page.
I don't use my domain's SMTP server to send email. How do I use DomainKeys?
The page has a few workarounds, none of which are great (SenderID and SPF have the same problems), but the fourth bullet point is the following:
Finally, you could choose to send unauthenticated mail. While this will not be a good long term strategy, it will certainly take quite a while before the vast majority of Internet email is authenticated. If you choose this path, you should carefully monitor the amount of authenticated mail over time to ensure that this strategy does not impact the deliverability of your email.
I'm not a big fan of this option. I'm reading through Bill Gates's book Business @ The Speed Of Thought, and one of the points he makes is that once you introduce a new system, you need to deploy it company wide and remove the old system (once the new system works -- assume that it works better). If you give users the option to fall back to the old version, they will fall back to the old version because it's easier (at least it is initially for people), more familiar, etc. The newer, better system will never reach full deployment and you'll forever be supporting two systems. Then, if you deploy a new system later on, there will be three versions you have to support! Gates's point is that once you get a new system implemented, you have to "force" your users to use it and take the plunge and there is no going back. (Please -- no comments about how Microsoft forces people to do stuff).
I see this option of choosing to send unauthenticated mail as providing domain owners the option of doing something we'd rather not see them do. If we give domain owners the option of not signing mail, they will fall back to the old version and not sign their mail. A slippery slope, indeed.
PingBack from http://msdnrss.thecoderblogs.com/2007/09/19/sender-authentication-part-26-domainkeys-in-a-nutshell/