Yahoo flips the switch on DomainKeys

Yahoo is turning on its home-grown anti-spam technology called DomainKeys today, and EarthLink says it too will simultaneously start testing the technology today. The average Yahoo Mail user probably won’t notice a thing. But it’s a reminder of how disunited the major email providers are about which technology to use to combat spam.

The Internet engineering community and the largest e-mail providers — Yahoo, Microsoft, AOL and EarthLink —  have been butting heads for some time now in search of a common technology they could use to stem the flow of spam and phishing.

A technology birthed by Microsoft called Sender ID (or SPF) has received the most attention lately — both good and bad. But another segment of the Internet community favors Yahoo’s DomainKeys concept, in part because the company has made it widely available for free. Cisco Systems is promoting a similar system called Identified Internet Mail.

Such divisions might not be a problem except that the technology can’t be truly effective unless everybody uses the same system.

DomainKeys, for example, works by having a mail provider (such as Yahoo) attach a digital “signature” to each email message, verifying that it really came from that domain, such as yahoo.com or ibm.com. The ISP that receives the message can read the signature and verify where the message come from. Spammers who try to disguise the origin of their messages —  by putting phony email addresses in the “From:” field, for example — would be exposed and their mail blocked.

But if just half the ISPs in the world are using DomainKeys and attaching signatures, or just half can decipher DomainKeys signatures when they receive mail, it greatly diminishes the effect of the technology.

So why is Yahoo moving ahead with DomainKeys, even though the industry has not agreed on a common standard or technology?

“Yahoo is putting it out there because, for them, it works better than a SenderID/SPF approach,” Ray Everett-Church, counsel for the Coalition Against Unsolicited Email, told us in an email. “They’ve got a lot of experience with a massive email infrastructure, and if you ask other people who work on massive email infrastructures, you’ll find that they almost uniformly find DomainKeys to be a simple, even elegant, approach.”

Daniel Quinlan, vice president of the SpamAssassin project for the Apache Software Foundation, said there are practical reasons, too.

“The deployment by Yahoo! will move the proposal forward and make it possible to experiment on even more
real-world email,” he said. “They have to start somewhere and this seems like a very good start. ”

Internet companies say the various proposals being bandied about don’t have to be mutually exclusive. In a letter to the Federal Trade Commission, more than three dozen companies said Sender ID and DomainKeys could be phased in one after another.

Either way, it’s apparent that a solution may not be forthcoming soon. An FTC meeting last week to address the issue apparently did little to move the sides closer together. As AOL spokesman Nicholas Graham told the Washington Post before the summit: “I think it’s also a good time for the companies to level with the FTC in terms of expectations. Unfortunately the expectations are a little ahead of where they ought to be. This is going to be a long process and necessarily so.”