Today, a consortium of companies including Google, Microsoft, Facebook and Paypal announced that they were collaborating and coming up with a new protocol known as DMARC – the Domain-based Message Authentication, Reporting and Conformance. What is DMARC? This is very much a summary of DMARC in a nutshell...

It sure seems like I am having a lot of debates with my co-worker lately about the nature of mail filtering.  Why do I say this?  Because I had one today.  This one is over the issue of trust. I can’t remember whatever it is we were discussing (I think it was something to do with product...

Well, what do you know? I don’t know if they have been doing them all along and have only finally decided to expose the result, but I logged into my Yahoo mail the other day and checked out the message headers of a mail in my inbox.  I was surprised to discover that Yahoo is now exposing the Received...

In my previous post, I noted that rustock had started sending us a whole pile of spam over the TLS protocol.  The question now is why do it at all?  I mentioned in my post that this is clever behavior and one of my readers posted in a comment “What makes this so clever?” The issue of authentication...

Did you ever wonder how many organizations out there are signing their mail with DKIM?  Or how many organizations rely on SPF as a tool to validate their inbound mail? Well, I’ve wondered as well.  DKIM supposedly is getting more popular, but how widespread is it?  Are lots of people using...

This went unnoticed by me for a very long time, but I was going through some of my personal mail and I discovered that Yahoo is now signing its outbound mail with DKIM in addition to DomainKeys. Long time readers may remember that about two years ago, I started a series on Sender Authentication and covered...

Sometimes an end user wants to flag a specific sender as a safe sender, that is, they always want messages from that user to go to their inbox.  You've probably seen this in some newsletters where they say at the top or bottom of the message to please add them to your address book which will prevent...

In my other post in a Q&A excerpt with Dave Crocker by Investor's Business Daily, I'd like to now respond to some of my selected quotes. Crocker: You have to create what I call a trust overlay to the existing e-mail system. Existing senders and receivers can continue to use e-mail as before... All...

We finally got around to deploying all of our new features from our latest release.  As I explained a couple of months ago, I created a hybrid of SPF and SenderID in response to customer demand.  I called it TMA, or Terry's Message Authentication.  It was an SPF check on the From or Sender...

The other day I was reading Investors Business Daily and came across an article whose title you see in the subject line of this blog post.  The article is a Q&A Dave Crocker of BrandenBurg InternetWorking.  If you're like me and too lazy to click the link and read the article, allow me...

As I said earlier, I needed to come up with an authentication mechanism that protected the From: or Sender: address in the message headers. But, I did not want to replace SPF with SenderID. So, I came up with another solution which I call TMA. I would implement a "lite" version of SenderID. At first...

I'd now like to post something about the inspiration for this whole series on authentication.  I'm not done with DomainKeys, I still have to post a little bit on DKIM and one other authentication mechanism, and then this series will be done.  But I need to boast about one of my achievements...

Canonicalization is the process of preparing a message for signing. This process is necessary because of the way email is handled in transit by various mail servers. For example, some mail relayers handle white space and line wraps just fine, others do not and strip them or insert them. All email was...

Let's plow through a few real life examples. Here's an actual DomainKey Signature: Example 1 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=Nin4jVEsnqKpfH6nKyRwaSxJzzaH5tX0hDJeJgNCx9af7VbBiV7kwEGn4z44Dtg...

This post will again be a paraphrase of that which is found in RFC 4870 . Now that we have seen how public keys are stored in DNS, we will next look at how a signing server generates the message signature. The signature of the email is stored in the "DomainKey-Signature:" header which contains all of...

Now that we have an overview of how DomainKeys works, we're going to look at how a service using DomainKeys generates a DomainKeys signature. When a receiving email server gets the message and sees that there is a DomainKeys header, it has to retrieve the key from DNS. The DomainsKey header is "DomainKey...

Now that we understand how digital signatures work, let's take a look at DomainKeys. Like SPF and SenderID, DomainKeys is a mechanism of sender authentication. DomainKeys uses public key encryption to authenticate messages. It works in the following way (much of this is based upon Yahoo's description...

I'm taking a quick timeout from my series on explaining Sender Authentication to post some quick stats on authentication. I took an 8-hour snapshot of our logs to collect some statistics. I started tracking how often senders use SPF, DomainKeys and DKIM (I will go into DomainKeys and DKIM in a future...

We've seen encryption, secret key encryption and public key encryption. Public key encryption allows a sender to encrypt the contents of the message and have only the intended recipient read it. They do this by encrypting with the public key and decrypting with the private key. However, recall that either...

The basic idea behind secret key encryption is the following: You don't have to keep the algorithm a secret. You do need to keep the key a secret. To increase the security of the contents, you lengthen the size of the key. This is all well and good, except for one problem? How do you distribute the key...

We saw in my previous post that substitution ciphers are a method of encoding a message such that its contents are unintelligible (much like the ramblings of many of the presidential candidates), and they are fairly easy to break with computers that can iterate over them very quickly. Enter the concept...

It's been a long time since I took the unit on encryption in my 4th year Telecommunications class in university, but I did quite well in it (I believe I got 5/5 on the assignment). For you see, the concept of encryption is relevant to our next section on email authentication: DomainKeys, a method of...

In documentation that Microsoft is going to release shortly, they have some recommendations on how to set up your SenderID records as well as a list of frequently asked questions. I will post a link to the relevant documents when they become available. For now, here's a sneak peek at some of the comments...

Microsoft is shortly coming out with some documentation on SenderID and the business case for its implementation. Hopefully by now I have demonstrated its usefulness. The Purported Responsible Address has a couple of advantages when deciding to support SenderID vs SPF: It is the identity that is typically...

How would a spammer get around SPF? One way is the method used by Spammer-X in his book Inside the Spam Cartel . Spammer-X is a retired spammer (so he says) and goes into a lot of the details in his book. I'll give a review when I'm done this series on sender authentication in six months or so. According...