Domain Keys vs DKIM
DomainKeys is an authentication and validation technique for email. This blog article seeks to explain more about the underlying issues of this technology than the technology itself. However, the technology will also be explained.
Domain Keys
DomainKeys is a PGP-like protocol for validating and authenticating an email. PGP stands for Pretty Good Privacy. It is a system where you create a public and private key. You keep your private key private and give your public key to your friends. So, you encrypt your data with your private key and your friends can decrypt your message with your public key. This prevents prying eyes from seeing what’s in the data.
Domain Keys takes this idea one step further. Instead of encrypting the email, it encrypts the email headers and creates a hash value from that encryption. The hash value is placed in the header of the email. When a site receives an email, it locates the public key (located in the DNS server for the user listed in the From: line of the email) and encrypts the email once again to compare the hash value. If the hash values match after the second encryption test, the email passes validation.
So, what exactly does this do for me?
The validation test proves several things:
- The domain listed in the From: line is valid
- The domain listed in the From: line authorized / sent the email
- The email has remain unchanged since creation
- The email is not spoofed
So, the recipient can conclude that they can trust that the email is valid and is actually from the person it claims to be from. It also means the email has not been altered in transit.
Domain Keys and DKIM
There are two methodologies to this this PGP-like technique. DomainKeys is the branded name created by Yahoo (to which Yahoo has a few patents pending and/or granted surrounding this technology). Yahoo created this technique to combat spam. DKIM, on the other hand, stands for DomainKeys Identified Mail. Yes, this is confusing. It sounds like the same thing, but it isn’t. DKIM is a similar, but not identical, technique to validate email. DKIM was created by the internet community (IETF) at large in response to Yahoo’s DomainKeys. DomainKeys from Yahoo was created based on a Yahoo License agreement. The Internet community balked at that license and decided to create a separate design that works similarly, but that isn’t under Yahoo’s licensing methodology.
Unfortunately, the DKIM community failed. Yahoo’s lawyers have stated that parts of the DKIM specification do, in fact, utilize patents that Yahoo holds. Because of this legal situation surrounding DKIM, what the DKIM creators had hoped to accomplish (by separating it from Yahoo) hasn’t worked.
Fracture
Because Yahoo owns DomainKeys outright based on several patents and it also appears to claim ownership of parts of the implementation of DKIM, neither is safe to use if Yahoo chooses to require licensing fees. So, it appears that neither DKIM nor DomainKeys is gaining wide acceptance yet as a result. Unfortunately, it is unclear just how many sites are using DKIM or DomainKeys in production to validate emails. There are, however, some ISPs such as Gmail and, of course, Yahoo who are using DomainKeys. Gmail is also using DKIM.
Because Yahoo is the creator of DomainKeys, they have a vested interest in this validation methdology. It is still unclear if Yahoo is actually validating emails that have been signed with DKIM. Yahoo’s outbound servers, however, do appear to use DKIM to sign outbound emails.
What does Domain Keys or DKIM buy you?
Besides email authentication, DomainKeys is a stepping stone to getting access to more Yahoo services. For example, if you would like your IP address to be whitelisted with Yahoo, you will need to first set up DomainKeys on your domain. Note that you must set up DomainKeys on the domain that you intend to use in the ‘From’ line of your emails. If you change the From domain, then you will need to set up DomainKeys for each domain you intend to use.
As far as DKIM goes, it doesn’t appear that there’s much that DKIM buys you yet. Some places are utilizing it, but many more are not. Both DomainKeys and DKIM are somewhat cumbersome to implement, so this explains why some sites haven’t begun using it. Certain DNS hosting services, such as GoDaddy’s Total DNS, do not support the necessary TXT record size to implement DomainKeys or DKIM. Lack of proper DNS support can prevent setting up these validation technologies.
Overall
These technologies can aid recipients in distinguishing actual valid emails from phishing attempts. The problem, though, is the licensing aspects, the ease of setting it up and the overall benefit. As an email marketer, you should determine if the sites you plan to email support DKIM and/or DomainKeys. Most large ISPs support some form of DKIM/DomainKeys, but it isn’t always the inbound portions that are supported (which matter to the email marketer). Yahoo specifically supports DomainKeys, but it is as yet unclear if they are supporting DKIM on inbound email. Gmail supports DomainKeys and DKIM on outbound and inbound email according to references found on the Internet.
Corporations, on the other hand, are probably not supporting either DomainKeys or DKIM just strictly due to licensing issues that could result. If DKIM is encumbered with Yahoo’s patented techniques, it’s just a matter of time before Yahoo decides to start requiring paid licenses to use the technologies. With Microsoft looking at buying Yahoo once again, it may not be safe to invest in DKIM or DomainKeys for corporate use.
Note that Boomerang presently supports DomainKeys only. Boomerang is working to support DKIM in the next month or so. However, Boomerang is also watching the licensing issues closely. Should licensing fees be required to continue to use these technologies, Boomerang may have to evaluate the value that these technologies bring.
Tags:
There are quite a few inaccuracies in your characterization of DKIM. DKIM wasn’t created in order to avoid Yahoo’s patent; in fact, the two Yahoo authors of the DomainKeys specification are also authors of DKIM. Rather, DKIM was created to provide a more robust solution that would survive more types of modification to which messages are frequently subjected.
I have seen no evidence that the licensing terms for the technology in DKIM are any obstacle to deployment. Deployment has been steadily rising, as shown in http://blogs.cisco.com/news/comments/domainkeys_identified_mail_dkim_grows_significantly/
Both corporate domains and those used by Email Sending Providers account for the significant growth.
Jim,
Thank you for your comment. However, one of the primary motivating factors for the creation of DKIM in the beginning was to make it an open standard and avoid Yahoo’s potential commercial licensing issues. The robustness to which you speak came later during the development process and was born out of the fact that Yahoo’s implementation failed on that front. The robustness was not originally the driving factor in DKIM’s creation. To be perfectly honest, there was no reason to create DKIM when Yahoo’s spec could have easily been extended to add the same robustness in DKIM. In fact, Yahoo’s spec as it sits could have been submitted to IETF as the RFC spec and then extended as necessary. So, there was no reason or need to create a rival specification. So, when it comes right down to it, because Yahoo’s technology could have been extended to offer what DKIM offers, the only argument left is the licensing issue.
Thanks again for your comment.
As far as the licensing and deployment issue, it’s not yet a problem because Yahoo hasn’t pressed the patent issue on DKIM. So, corporations are probably not aware yet of the potential encumbered nature of this technology. If Microsoft and Yahoo become one, all bets are off. Microsoft may want to own DomainKeys, and by extension, DKIM and may require licensing fees to continue to use any technology based on it. No such licensing motions have been made yet based on these assertions, but Yahoo and Microsoft haven’t yet concluded their deal either.
Again, thanks for your comment.
One last comment regarding those who authored DKIM. While former Yahoo employees may have authored DomainKeys and submitted the DKIM spec to the IETF, clearly it was not with the blessing of Yahoo, Inc. If Yahoo had fully supported the creation of the DKIM specification, then Yahoo would have abandoned DomainKeys in lieu of DKIM long ago. Instead, we still see Yahoo not only holding out on actually supporting DKIM on Inbound mail, they have submitted patent holding documentation on the DKIM specification to the IETF. Clearly, Yahoo is not happy that DKIM exists and is staking a claim on part ownership in DKIM. Note that staking a patent claim is the first step in a potential patent battle over this technology. Right now it still appears Yahoo is in wait-and-see mode. Remember, though, whatever Yahoo now owns Microsoft will own if Yahoo is purchased.
Brian,
No, the DKIM design team was aware of the IPR associated with DomainKeys from the outset. Robustness was a driving factor from the start; DKIM came about as a merger between DomainKeys and Cisco’s Identified Internet Mail specifications. It was not possible to compatibly extend DomainKeys because of the need to calculate the signature differently (specifically, to self-sign it) to make the protocol robust.
With reference to your “former Yahoo employees” comment, both of the DomainKeys authors are, to my knowledge, still at Yahoo.
Yahoo is indeed verifying DKIM signatures. See http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics/postmaster-15.html for verification of this.
Jim,
While I understand the self-sign argument, there must have been some other motivation behind not extending DomainKeys itself. There is no software that cannot be reworked. Therefore, I can find no other explanation to create a second specification when the original could have been extended and submitted as a draft. Since Yahoo was the primary and, as far as I know, only user of DomainKeys at the time, changing the specification wouldn’t have been that difficult. Perhaps it would have been a difficult rollout for Yahoo on their own internal servers, but not for everyone else.
Even still. extending the protocol doesn’t require that it be an all or nothing situation. Extending it means making Version 2. So, Version 2 is compatible with both Version 1 legacy and Version 2. Version 1 wouldn’t be compatible with Version 2 (as expected). If DKIM had been represented as DomainKeys version 2 (intended to obsolete DomainKeys eventually), then I’d understand your statements better. Right now, DKIM is confusing to our clients because they don’t understand the difference between DKIM and DomainKeys nor do they understand why they both exist. In fact, there is no reason for both to exist other than for confusion. Ultimately, one of them needs to go away. Which one, that’s for others to decide. But, the Internet doesn’t need both of these to continue to exist when they both effectively provide the end user with the same result.
As for the Yahoo authors, the DKIM information that I located earlier did not appear to contain any Yahoo authors (Document 5585). So, I assumed they had moved on. However, I just pulled the actual draft (4871) and this document does contain the Yahoo authors. I’m not sure why the first search of DKIM RFC led me to 5585. Probably because it was written this year. Of course, the 4871 draft was written in May 2007, so they may no longer be there.
As far as support for DKIM, that’s the first page I’ve found on Yahoo that mentions it (and it was updated 1,5 weeks ago on July 10th, 2009). Although, I will say that it doesn’t explicitly state that Yahoo supports DKIM. It simply says to ‘use an authentication system such as DKIM’. This only implies support. I’d still want to test it to make sure it is, in fact, supported and working before I hand it off to our clients.
Thanks.
Has there been any progress with yahoo checking DKIM as a validation technique? Email authentication is not yet as simple as it should be. By now I wish the world agreed on standards that would save us from the unregulated huge amounts of spam circulating around the world.
lol… anyways… is yahoo supporting DKIM now? Everyone knows they sign their own mail with DKIM
Yes, Yahoo has implemented DKIM, but they still support Domain Keys. We are in the process of rolling out support for Yahoo’s DKIM support. Since they supported Domain Keys first (and still support it), we can sign using Domain Keys at Boomerang.