What are Domain Keys?
Domain key and DKIM is part of Yahoo's attempt to segregate legitimate email from spam. Essentially, mail servers generate a public/private key pair and sign outgoing messages with the private key, while publishing the public key as part of their DNS record. Because only they can publish to their public key in this way the signature can be used to confirm that the sender of the email has not been spoofed. The presence or lack of a signature can be used as part of the process of identifying spam.
Benefits of Domain Keys
Domain Keys is solely an authentication system. It is not a magic bullet for spam, nor is it an authorization system, a reputation system, a certification system, or a trust system. Yahoo however gives great weightage to senders who have implemented Domain Keys. In practically all cases Yahoo's whitelisting questionnaire explicitly asks if Domain Keys have been implemented or when it is planned to be implemented by the sender. With yahoo contributing between 20-30% of all mail ID's whitelisting with Yahoo is a significant benefit.
How Domain Keys work
Under Domain Keys, a domain owner generates one or more private/public key pairs that will be used to sign messages originating from that domain. The domain owner places the public key in his domain namespace (i.e., in a DNS record associated with that domain), and makes the private key available to the outbound email system. When an email is submitted by an authorized user of that domain, the email system uses the private key to digitally sign the email associated with the sending domain. The signature is added as a header to the email, and the message is transferred to its recipients in the usual way.
When a message is received with a Domain Key signature header, the receiving system can verify the signature as follows:
- Extract the signature and claimed sending domain from the email.
- Fetch the public key from the claimed sending domain namespace.
- Use public key to determine whether the signature of the email has been generated with the corresponding private key, and thus whether the email was sent with the authority of the claimed sending domain.
In the event that an email arrives without a signature or when the signature verification fails, the receiving system retrieves the policy of the claimed sending domain to ascertain the preferred disposition of such email. Armed with this information, the recipient system can apply local policy based on the results of the signature test.
