Yahoo Publishes IETF Draft For DomainKeys

Yahoo submitted a draft of its proposed junk mail solution, DomainKeys, to the Internet Engineering Task Force (IETF). The proposal outlines the concepts and some of the technical specifications that could be implemented by mail servers to help verify the identity of the actual domain used to send email messages. Yahoo anticipates that such identification will help pinpoint people who send unwanted or illegal email solicitations.

According to the proposal, a mail server using DomainKeys would digitally sign messages after they are received from senders and before they're sent to their destinations. The proposal suggests the use of RSA and Secure Hash Algorithm-1 (SHA1) to sign the entire mail message, including the headers.

A digital signature would be prepended to the top of the mail headers, which can then be processed by the receiving mail server to verify that the message actually came from the domain it claims to originate from. Such a signature might look like the following (as excerpted from the IETF draft):

DomainKey-Signature: a=rsa-sha1; s=brisbane;; c=simple; q=dns;  b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR;

The tags specify the method used for signing ("a" tag), the selector in case multiple keys are used in a given domain ("s" tag), the domain name ("d" tag), the canonical processing method used to process the message ("c" tag),  the query type ("q" tag), and the signature data encoded in Base64 ("b" tag).

After a message has been verified by a receiving mail server, the mail server would prepend another line indicating the status of the message:

DomainKey-Status: good

Mail servers can decide how to handle email after processing the signature. For example, domain operators could choose to drop all email that doesn't have a valid DomainKeys signature. Or they could pass the email along to recipient mailboxes anyway.

DNS servers would host the public domain keys used to verify messages. The keys would be published in TXT record types using tags to denote aspects of the DomainKeys implementation. Tags include granularity of the key, key type, notes, the public key data, and a testing mode tag to let other domains know a given site is still testing DomainKeys. A typical DNS TXT record might look like the following (as excerpted from the draft):

brisbane._domainkey IN TXT "g=; k=rsa; p=MEwwDQYJKoZIhvcNAQEB ... IDAQAB"

Yahoo intends to patent DomainKeys, however, according to the DomainKeys Web page the company will offer royalty-free use to anyone under the following terms: 

Yahoo! will grant a royalty-free, worldwide, non-exclusive license under any Yahoo! patent claims that are essential to implement or use any Implementations so that licensees can make, use, sell, offer for sale, import, or yodel Implementations; provided that the licensee agrees not to assert against Yahoo!, or any other Yahoo! licensees of Implementations, any patent claims of licensee that are essential to implement or use any Implementations.

You can learn more about DomainKeys at Yahoo's new DomainKeys Web page and read the draft proposal at the IETF Web site.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.