Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Yahoo now signs with DKIM

Yahoo now signs with DKIM

  • Comments 2

This went unnoticed by me for a very long time, but I was going through some of my personal mail and I discovered that Yahoo is now signing its outbound mail with DKIM in addition to DomainKeys.

Long time readers may remember that about two years ago, I started a series on Sender Authentication and covered DomainKeys but never got around to finishing up DKIM.  I'm bad that way, I often start blog series, get bored... and don't finish them (see: Blacklists, Foreign Charsets).

DKIM (DomainKeys Identified Mail) is the successor to DomainKeys.  Basically, it works wherein the sender of the mail signs the contents of the mail, including some of the header information, and encrypts the message with a private key and inserts into an x-header. The receiver can retrieve a public key from DNS using information from the x-header.  They decode the information and can then verify that the message did originate from the purported sender.  Note that this technology is used to verify the authenticity of the sender; it does not assert that the sender is forged in the case of a DKIM failure, similar to what SPF hard fails assert.

Anyhow, digging through my email, Yahoo first started doing this on Feb 20, 2009.  Yahoo does not publish SPF records, and for the longest time only did DomainKeys which is a less flexible pre-cursor to DKIM.  Nice to see that, like Gmail, they are finally signing with DKIM.  Although, like Gmail, signing with both is kind of redundant.

Leave a Comment
  • Please add 2 and 3 and type the answer here:
  • Post
  • Just for the record, I'll clarify a few things, if I may.

    For "the sender of the mail", read "the sending domain" -- the signatures are specifically at the domain level, not the individual user level.

    For "encrypts the message", read "creates a digital signature on the message", which involves computing a SHA-1 hash of the message (including some header fields) and encrypting that.  The message itself is not encrypted.

    For "x-header", read "standard header field ('DKIM-Signature')".  As a side note, "X-" headers, which used to be for experimental and other non-standard use, were eliminated as a special thing in RFC 2822, after a good deal of discussion in the IETF DRUMS working group.

    For "did originate from the purported sender," read "... purported sending domain," and so on through the end of the paragraph.

    The DKIM equivalent to "SPF hard fails" are driven by the new standard for "Author Domain Signing Practices", an adjunct to DKIM in which sending domains can say "I sign all my outbound mail," giving receiving domains extra information to use in their evaluations.  The ADSP document has been approved as Proposed Standard, and is in the RFC Editor queue now, and should be published as RFC 5617 soon.

    -- Barry Leiba, IETF DKIM working group chair

  • Everything you have said is correct, Barry.

    Except for one thing: Yahoo signs with SHA-256!

Page 1 of 1 (2 items)