The Beginning of the Crypto Era

Opinion: The e-mail authentication picture is getting murkier, but that's good. More credible systems are going online, and that means a real solution is closer.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

In a move that was totally expected, if a little early, Yahoo has announced that it will put its money where its mouth is and start checking Yahoo Mail with its DomainKeys system.

/zimages/3/28571.gifClick here to read more about Yahoos DomainKeys announcement.

The company had told me that it would do so by the end of the year, but I suppose it had had this last week, during the FTC e-mail authentication summit, as an internal deadline. Earthlink also announced that it will test DomainKeys on its system.

DomainKeys is important. It is the main implementation of the second of the two most credible approaches to SMTP authentication, specifically the use of cryptographic signatures to authenticate messages against the domains from which they were sent. The other approach—to check against the IP addresses of the servers in those domains—also moved forward recently with the second version of the Sender ID spec.

Dont assume that the DomainKeys implementation is the final form. There is an IETF group called ietf-mailsig working in preliminary stages to standardize the crypto approach to SMTP authentication and they might want to make some changes to the approach used by Yahoo. And I expect Yahoo to be open to such suggestions.

In fact, Yahoos openness to reasonable suggestions and unobjectionable licenses is a big reason to be optimistic about widespread adoption of it. Indeed, while Yahoo has intellectual property claims on its developments in DomainKeys, the company isnt being a jerk about it, like some other coMpanieS in this business that shall remain naMeleSs.

There are some interesting questions about DomainKeys and Yahoos handling of it. The first has to do with performance. My own first impression of cryptography as a solution was that the added performance burden on MTAs (message transfer agents, better known as mail servers) would be great and that many companies would have to upgrade their hardware to run a DomainKeys-enabled server with decent performance. In a recent eSeminar in which I participated, Richi Jennings of Ferris Research echoed this view.

But while its still too early to tell, theres reason to believe the performance issue is not as serious as first impressions would indicate. Ive spoken to Sendmail, the leading MTA company in the world, about it. Nobody, except Yahoo, has more hands-on experience actually testing and coding DomainKeys than Sendmail. Sendmail thinks the added performance burden, entirely CPU-based, is on the order of 15 percent to 20 percent. This isnt nothing, but MTAs arent typically CPU-constrained—they are network- and perhaps disk-constrained—so there could easily be spare CPU capacity in the typical MTA (unless its running Exchange Server or Notes, in which case its CPU-starved).

Next Page: Why no SPF implementation?