Your E-Mail Is Getting a Reputation

Opinion: I hereby declare that DomainKeys has won the SMTP authentication battle. But the war against mail abuse isn't over, and the next stage isn't well-understood.

Its taken so long for e-mail authentication to get to this point that you might assume the whole idea had failed and been forgotten. Not true. The really important work has gone on, out of the spotlight.

Yahoo and Ciscos announcement that they will merge their similar public key cryptography-based specs for authentication is a good example. Yahoo hasnt blabbed about it, but DomainKeys has gained a lot of momentum since its formal announcement late last year. DomainKeys support is available for most, if not all, the major mail servers, and further significant announcements will come in the next few days.

And Microsoft has not sat still with its Sender ID spec, even if the license was widely rejected. (You can assume that the licenses for DomainKeys and the new DomainKeys Identified Mail will not include the poison pills in Microsofts, and will be acceptable to open-source developers.) Microsoft has continued with promised Sender ID development for its own Hotmail and has also added support for Habeas e-mail certification.

All through the contentious and ultimately failed e-mail authentication standards proceedings last year there was an undercurrent of opinion that DomainKeys was the better solution, but an assumption that practical deployment of it was further out than for the alternatives, principally Sender ID. In fact, there were a variety of alternatives discussed in technical circles, but all these months later none of them has any real traction aside from SPF, and no serious people view SPF as a real solution to the problems of e-mail. Even the father of SPF, Meng Weng Wong, founder of, worked with Microsoft on Sender ID because SPF didnt address the full range of problems it needed to.

So with a small amount of hesitation I hereby declare DomainKeys—and, by extension, DomainKeys Identified Mail—the winner in the SMTP authentication battle. (I bet you didnt know I had the authority to do that.) But will they win the battle and lose the anti-spam war?

There is still the problem of Sender ID and alternative implementations, and its necessary in the long term for one standard to be dominant. If more than one authentication standard is supported by major players in the world of e-mail and you want your e-mail to authenticate properly, you have to support both standards both inbound and outbound. This could get interesting if the two specs are DomainKeys Identified Mail and Sender ID, since both add a chunk of data in the DNS, and well hear some administrator whining about it all.

But DomainKeys, at least, can clearly work in the real world. Yahoo has been using it on its own servers and claims that it has been "receiving more than 350 million messages signed by DomainKeys per day," so someone else is using it.

Next page: Reputation is the key.