DomainKeys -- Yahoo's Sender ID Alternative

Summary: Not all large ISPs are using SPF to identify the e-mail sender. Yahoo! Mail has put its influence behind DomainKeys, which uses public and private cryptographic keys to digitally sign and e-mail message and prevent header forgery. It's still in the testing stage, but it's a technology that needs to succeed.

Yahoo! feels that e-mail needs a stronger approach to forgery that that offered by SPF (Sender Policy Framework), since spammers can fake some aspects of SPF. Their solution is DomainKeys, which is still in the early stages of study and acceptance, so I don't recommend adopting it yet, but something like DomainKeys is necessary to prevent header forgery.

Essentially DomainKeys consists of "signing" e-mail with an encrypted "signature" contained in the header. This system uses a public key/private key system that has been widely used in SSL secure communications between a customer's web browser and an online store, between a user and an online banking site, etc.

The private key is required to encrypt the signature, which would be done by the outbound e-mail server as the e-mail is sent out. The public key to verify the signature would be published in the domain's DNS record and checked when an e-mail message is received to make sure the signature hasn't been forged.

Thus e-mails containing signed DomainKeys contain an unforgable system of verifying the sender and contents of the e-mail message.

At this point, DomainKeys is in an early stage, with pilot projects being run. If widely adopted, it holds the promise of stopping fraudulent phishing attacks and identify spam messages.

Resource:

DomainKeys: Proving and Protecting Email Sender Identity. http://antispam.yahoo.com/domainkeys